https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/2134322#M147082 <HTML><HEAD></HEAD><BODY><P>Jan,</P><P></P><P>Thanks for your recommendations - looks like we're going to upgrade to cat4500e-entservicesk9-mz.122-53.SG4 and hopefully that'll resolve our issues.&nbsp; I'll post an update afterwards to let everyone know.</P><P></P><P>Thanks,</P><P></P><P>Brian&nbsp; </P></BODY></HTML> Thu, 15 Nov 2012 16:12:57 GMT Brian Saunders 2012-11-15T16:12:57Z https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/2134320#M147080 <P>Hello All,</P><P></P><P>Configuring dot1x on our access layer switch-ports and am having some issues with devices that fail authentication.&nbsp; This is the current configuration on the switch-port:</P><P></P><P><EM style="font-size: 8pt; ">switchport mode access</EM></P><P><EM style="font-size: 8pt; ">switchport voice vlan 38</EM></P><P><EM style="font-size: 8pt; ">dot1x mac-auth-bypass</EM></P><P><EM style="font-size: 8pt; ">dot1x pae authenticator</EM></P><P><EM style="font-size: 8pt; ">dot1x port-control auto</EM></P><P><EM style="font-size: 8pt; ">dot1x host-mode multi-domain</EM></P><P><EM style="font-size: 8pt; ">dot1x timeout server-timeout 10</EM></P><P><EM style="font-size: 8pt; ">dot1x timeout reauth-period server</EM></P><P><EM style="font-size: 8pt; ">dot1x timeout tx-period 10</EM></P><P><EM style="font-size: 8pt; ">dot1x timeout supp-timeout 3</EM></P><P><EM style="font-size: 8pt; ">dot1x max-req 3</EM></P><P><EM style="font-size: 8pt; ">dot1x max-reauth-req 3</EM></P><P><EM style="font-size: 8pt; ">dot1x reauthentication</EM></P><P><EM style="font-size: 8pt; ">dot1x critical</EM></P><P><EM style="font-size: 8pt; ">dot1x critical recovery action reinitialize</EM></P><P><EM style="font-size: 8pt; ">dot1x auth-fail vlan 7</EM></P><P><EM style="font-size: 8pt; ">dot1x guest-vlan 7</EM></P><P><EM style="font-size: 8pt; ">dot1x critical vlan 36</EM></P><P><EM style="font-size: 8pt; ">spanning-tree portfast</EM></P><P><EM style="font-size: 8pt; ">spanning-tree bpduguard enable</EM></P><P><EM style="font-size: 8pt; "> </EM></P><P><SPAN style="font-size: 10pt;">When a non-employee connects they go through the authentication process and eventually fail dot1x and mab and get placed into the designated guest vlan 7.&nbsp; If you do a "show int gx/x status" on that switch-port it shows them connected and in that vlan 7.&nbsp; If you do a "show dot1x int gx/x details" it also shows the port as authorized (By Guest-Vlan) and the vlan policy is 7.&nbsp; The problem is the user never gets a valid ip address - they just receive a 169.x.x.x.&nbsp; Anyone have any experience with this type of issues or have any recommendations?</SPAN></P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P><SPAN style="font-size: 10pt;">Thanks,</SPAN></P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P><SPAN style="font-size: 10pt;">Brian</SPAN></P> Mon, 11 Mar 2019 02:47:13 GMT https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/2134320#M147080 Brian Saunders 2019-03-11T02:47:13Z https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/2134321#M147081 <HTML><HEAD></HEAD><BODY><P>- First off, your switch commands tell me you are using an old software on your switch, you should upgrade it firstly, there has been many bug fixed and enhancements to dot1x/mab in recent releases</P><P></P><P>- Your problem is probably that your guest dhcp client is timing out before you are done with dot1x and mab, susally adjusting tx-period to a lower number could help the time it takes before you reach the guest vlan, but could also have an impact on your machines that are running dot1x, you would have to try some different values. Also using Windows XP SP3 or Windows 7, helps as well on your dot1x machines, and finally using AnyConnect NAM supplicant will make it work fine without having problems when adjusting dot1x timers on your switch.</P><P></P><P>- With the new software i would go with default timers, maybe change tx-period to 5 secs, and then use the "authentication order mab dot1x" and "authentication priority mab dot1x", also having your guest vlan as your default vlan, will usually also solve the problem of guests having to do a new dhcp reqeust once aauthorized, however you could run into problems with stuff you wan't to use mab on.</P></BODY></HTML> Thu, 15 Nov 2012 01:08:17 GMT https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/2134321#M147081 jan.nielsen 2012-11-15T01:08:17Z https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/2134322#M147082 <HTML><HEAD></HEAD><BODY><P>Jan,</P><P></P><P>Thanks for your recommendations - looks like we're going to upgrade to cat4500e-entservicesk9-mz.122-53.SG4 and hopefully that'll resolve our issues.&nbsp; I'll post an update afterwards to let everyone know.</P><P></P><P>Thanks,</P><P></P><P>Brian&nbsp; </P></BODY></HTML> Thu, 15 Nov 2012 16:12:57 GMT https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/2134322#M147082 Brian Saunders 2012-11-15T16:12:57Z https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/2134323#M147083 <HTML><HEAD></HEAD><BODY><P>After upgrading to cat4500e-entservicesk9-mz.122-53.SG4 all dot1x parameters worked fine!&nbsp; Thanks for your assistance.</P><P></P><P>Brian</P></BODY></HTML> Tue, 20 Nov 2012 18:50:24 GMT https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/2134323#M147083 Brian Saunders 2012-11-20T18:50:24Z https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/2134324#M147084 <HTML><HEAD></HEAD><BODY><P>Thats great, good luck with your dot1x setup.</P><P></P><P>Jan</P></BODY></HTML> Tue, 20 Nov 2012 19:37:30 GMT https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/2134324#M147084 jan.nielsen 2012-11-20T19:37:30Z https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/3689992#M147085 <P>Hello Guys,</P> <P>&nbsp;</P> <P>I Configure mac authentication bypass with NPS server and its working if I add mac-address in active directory.&nbsp; But for Unknown devices ports are still going error-disable state 9(Orange) .&nbsp; instead it should go in guest vlan.</P> <P>&nbsp;</P> <P>Please see my configuration and let me know if I am missing anything.</P> <P>&nbsp;</P> <P><EM>aaa new-model</EM></P> <P><EM>aaa authentication dot1x default group radius&nbsp;</EM></P> <P><EM>aaa authorization network deafult group radius</EM></P> <P><EM>aaa&nbsp; accounting dot1x default start-stop group radius&nbsp; &nbsp;(i dont know the purpose of this command)</EM></P> <P>&nbsp;</P> <P><EM>dot1x system-auth-control</EM></P> <P>&nbsp;</P> <P><EM>Interface G1/0/3</EM></P> <P><EM>switchport mode access</EM></P> <P><EM>authentication event fail action authorize vlan 10</EM></P> <P><EM>authentication host-mode multi-auth</EM></P> <P><EM>authentication order mab</EM></P> <P><EM>authentication port-control auto</EM></P> <P><EM>mab</EM></P> <P><EM>!</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Thats all I configure , basically i just to want to use mac-address from NPS to allocate vlans and If it fails then switch just assign Guest Vlan.</EM></P> <P>&nbsp;</P> <P><EM>Thanks</EM></P> Thu, 16 Aug 2018 19:43:29 GMT https://community.cisco.com/t5/network-access-control/dot1x-guest-vlan-auth-fail-vlan-issues/m-p/3689992#M147085 ITexpert 2018-08-16T19:43:29Z