A network engineer is deploying 802.1X on a Cisco switch for a mixed environment of Windows laptops and IP phones. The engineer configures the switchport with 'authentication port-control auto' and 'dot1x pae authenticator'. After connecting a Windows laptop, the switch logs show 'Authentication failed' for the laptop. The engineer verifies that the RADIUS server is reachable and the laptop's supplicant is configured correctly. What is the most likely cause of the authentication failure?
Trap 1: The switch lacks 'aaa new-model' configuration.
Incorrect because AAA is needed for RADIUS authentication, but the RADIUS server is reachable, so AAA is likely configured.
Trap 2: The switchport is configured as 'switchport mode trunk' instead of…
Incorrect because 802.1X can work on trunk ports, and the issue is authentication failure, not VLAN mismatch.
Trap 3: The RADIUS server is not configured with the correct shared secret.
Incorrect because the engineer verified the RADIUS server is reachable, and shared secret issues would cause different errors.
- A
The switch lacks 'aaa new-model' configuration.
Why wrong: Incorrect because AAA is needed for RADIUS authentication, but the RADIUS server is reachable, so AAA is likely configured.
- B
The switch is not configured to send EAP-Request/Identity packets; the 'dot1x timeout tx-period' is too long or missing.
Correct because without proper EAP initiation, the supplicant may not respond, leading to authentication failure.
- C
The switchport is configured as 'switchport mode trunk' instead of 'switchport mode access'.
Why wrong: Incorrect because 802.1X can work on trunk ports, and the issue is authentication failure, not VLAN mismatch.
- D
The RADIUS server is not configured with the correct shared secret.
Why wrong: Incorrect because the engineer verified the RADIUS server is reachable, and shared secret issues would cause different errors.