After add one Hub between dot1x client and authenticate device , all dot1x user cannot be authenticate success .
Topology as below:
we checked the aaa online-fail-record , found below information:
User name : b025aa0bb148
Domain name : default
User MAC : b025-aa0b-b148
User access type : None
User access interface : GigabitEthernet0/0/12
Qinq vlan/User vlan : 0/111
User IP address : 10.64.115.50
User IPV6 address : FE80::C9DE:EF4C:B85D:35EA
User ID : 36
User login time : 2017/11/08 20:21:27
User online fail reason : Radius authentication reject
Authen reply message : Authentication fail
1- We need to know the dot1x authentication process .
2- We checked dot1x statistics , there is no any received packets for dot1x clients .
3- We request make capture on the port g0/0/12 which interface connected HUB. so that we can confirm whether the dot1x client or HUB send EAP packets to device.
Capture1: normal EAP authenticate process. dot1x client connected authenticate device directly. We can see there are total 10 packets , from start to success.
Capture2: abnormal EAP process ,dot1x client connected to HUB and HUB connected to authenticate device interface g0/0/12 .
Captuure3:abnormal EAP process
from capture 1 2 3 , we can see all EAP packets send by authenticate device , there is no any response packets from dot1x clients .
EAP is BPDU packets , it will send to CPU process not L2 transfer , so if dot1x client and authenticate device middle has one another L2 device , it need permit these EAP packets .
about how to configure l2protocol-tunnel , please refer to below link:
When Layer 2 protocol packets with a specified multicast destination MAC address need to be transparently transmitted on an ISP network, you can define characteristic information about the Layer 2 protocol on devices on the ISP network.