How to troubleshoot issues related to NAS devices and Portnox RADIUS

In this topic, you will learn how to troubleshoot known issues related to different NAS devices and their setup with Portnox Cloud RADIUS and local RADIUS.

Does Portnox Cloud work with cascaded switches?

Using cascaded switches with Portnox Cloud is not recommended. Cascading creates a single point of failure: if the first switch fails, devices on the second switch lose connectivity and authentication. Cascading can also create authentication bottlenecks because the second switch relies entirely on the first switch for validating devices.

Using access mode on the uplink limits VLAN support and reduces network flexibility. Applying 802.1X authentication on uplink ports can block traffic and disrupt communication between switches. Configuring Portnox on only one switch while leaving the second switch without configuration increases security risks and reduces reliability. Each switch should handle its own authentication independently for long-term security and smooth operation.

If you choose to use cascading despite these warnings, you should contact the NAS device manufacturer for support. This is beyond the scope of configuring RADIUS servers or setting up NAS devices to work with Portnox Cloud.

How to avoid wired port communication disruptions when a port initiates MAB and 802.1X at the same time?

In wired 802.1X environments, a switch port may initiate both MAC Authentication Bypass (MAB) and 802.1X authentication either at the same time or in an unintended order. This usually happens when the endpoint does not respond quickly to the initial 802.1X EAPOL request. The switch then assumes the device is not 802.1X-capable and falls back to MAB. If the endpoint responds shortly after, the switch may also start 802.1X, which results in duplicate authentication attempts. This is quite typial to Cisco switches and other IOS-based NAS devices.

This behavior can cause inconsistent session handling and network connectivity disruptions. It is caused by timing mismatches during the authentication exchange between the network access device (NAS) and the endpoint and can occur regardless of whether one or multiple devices are connected to the port.

Sample port configuration:

interface GigabitEthernet1/0/9
switchport access vlan xxx
switchport mode access
 ! This port uses multi-domain for daisy-chained phone + PC
authentication host-mode multi-domain 
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
spanning-tree portfast
dot1x timeout server-timeout 5
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
dot1x max-reauth-req 3

To reduce the likelihood of this happening, increase the 802.1X authentication timers on the affected switch ports. This gives the endpoint more time to respond before the switch falls back to MAB.

dot1x timeout tx-period 30
dot1x timeout supp-timeout 30
  • tx-period: Increases the interval between EAPOL-Request/Identity retries.
  • supp-timeout: Increases the wait time for a response from the endpoint.

Adjusting these timers reduces premature MAB fallback, prevents dual authentication events, and improves authentication stability.

Note:
  • Shorter values (10–20 seconds) allow faster retries but increase network traffic.
  • Longer values (30–60 seconds) reduce retries and network load but may delay authentication.
Does Portnox Cloud support or require any additional configuration on the Aruba Wireless Controller to support custom dACLs?

Aruba does not use standard RADIUS dACL attributes as, for example, Cisco. To apply ACLs via RADIUS, you must configure a custom RADIUS attribute for each ACL line using HP:HP-Nas-Filter-Rule, where the attribute value contains a single ACL entry, for example, HP:HP-Nas-Filter-Rule=permit in tcp from any to 203.0.113.56 443.

If ACL or dACL enforcement from Portnox Cloud does not work for wireless access, Aruba recommends configuring ACLs directly on the Aruba controller or in Aruba Central instead of relying on RADIUS-based ACL delivery.