How to troubleshoot issues related to NAS devices and Portnox RADIUS

In this topic, you will learn how to troubleshoot known issues related to different NAS devices and their setup with Portnox Cloud RADIUS and local RADIUS.

Does Portnox Cloud work with cascaded switches?

Using cascaded switches with Portnox Cloud is not recommended. Cascading creates a single point of failure: if the first switch fails, devices on the second switch lose connectivity and authentication. Cascading can also create authentication bottlenecks because the second switch relies entirely on the first switch for validating devices.

Using access mode on the uplink limits VLAN support and reduces network flexibility. Applying 802.1X authentication on uplink ports can block traffic and disrupt communication between switches. Configuring Portnox on only one switch while leaving the second switch without configuration increases security risks and reduces reliability. Each switch should handle its own authentication independently for long-term security and smooth operation.

If you choose to use cascading despite these warnings, you should contact the NAS device manufacturer for support. This is beyond the scope of configuring RADIUS servers or setting up NAS devices to work with Portnox Cloud.

How to avoid wired port communication disruptions when a port initiates MAB and 802.1X at the same time?

In wired 802.1X environments, a switch port may initiate both MAC Authentication Bypass (MAB) and 802.1X authentication either at the same time or in an unintended order. This usually happens when the endpoint does not respond quickly to the initial 802.1X EAPOL request. The switch then assumes the device is not 802.1X-capable and falls back to MAB. If the endpoint responds shortly after, the switch may also start 802.1X, which results in duplicate authentication attempts. This is quite typial to Cisco switches and other IOS-based NAS devices.

This behavior can cause inconsistent session handling and network connectivity disruptions. It is caused by timing mismatches during the authentication exchange between the network access device (NAS) and the endpoint and can occur regardless of whether one or multiple devices are connected to the port.

Sample port configuration:

interface GigabitEthernet1/0/9
switchport access vlan xxx
switchport mode access
 ! This port uses multi-domain for daisy-chained phone + PC
authentication host-mode multi-domain 
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
spanning-tree portfast
dot1x timeout server-timeout 5
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
dot1x max-reauth-req 3

To reduce the likelihood of this happening, increase the 802.1X authentication timers on the affected switch ports. This gives the endpoint more time to respond before the switch falls back to MAB.

dot1x timeout tx-period 30
dot1x timeout supp-timeout 30

• tx-period: Increases the interval between EAPOL-Request/Identity retries.
• supp-timeout: Increases the wait time for a response from the endpoint.

Adjusting these timers reduces premature MAB fallback, prevents dual authentication events, and improves authentication stability.

Note:

• Shorter values (10–20 seconds) allow faster retries but increase network traffic.
• Longer values (30–60 seconds) reduce retries and network load but may delay authentication.