topic Re: dot1x interface config interpretation in Network Access Control

dot1x interface config interpretation

davinci — Fri, 08 Mar 2019 16:33:02 GMT

interface GigabitEthernetX/X
description xxxx
switchport
switchport access vlan 22
switchport mode access
switchport voice vlan 26
authentication event server dead action authorize vlan 22
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 27
authentication host-mode multi-domain
authentication port-control auto
authentication violation replace
mls qos trust dscp
dot1x pae authenticator
no cdp enable

can someone please tell me the meaning of the bold commands? I need to understand the policy implications.

Re: dot1x interface config interpretation

Rob Ingram — Fri, 08 Mar 2019 16:45:03 GMT

Hi,

authentication event server dead action authorize vlan 22 = authorize session into data vlan 22 when the radius server(s) are all marked dead
authentication event server dead action authorize voice = authorize voice when the radius server(s) are all marked dead
authentication event no-response action authorize vlan 27 = authorize guest vlan (when user failed dot1x and mab)
authentication host-mode multi-domain = allows an IP Phone and a PC to authenticate on the same switch port
authentication port-control auto = authentication enabled on a port
authentication violation replace = upon violation, remove the current session and authenticates with the new host.
mls qos trust dscp = Qos related, not dot1x
dot1x pae authenticator = Enables 802.1X authentication on the port with default parameters.

HTH

Re: dot1x interface config interpretation

bern81 — Thu, 14 Mar 2019 13:01:32 GMT

@Rob Ingram explained it perfectly.

I just wanted to add few thing to make your config more optimal.

add also this on the switcvhport:

authentication event server alive action reinitialize (this will reauthenticate the interface who is critical VLAN where the AAA server is marked ALIVE).

In global config

radius-server dead-criteria time 5 tries 3 (declare the AAA as dead if no reply within 15 sec)
radius-server deadtime 10 (if server is DEAD after 10 minutes try to Probe with the dummy user)

in the raduis server config add a dummy user with Probe-ON otherwise if AAA server is dead then you will have a creapie authentication looping

radius server RADSERVER1
address ipv4 10.7.1.200 auth-port 1812 acct-port 1813
automate-tester username dummy ignore-acct-port probe-on
key 7XXXXXXXXYYYYY

Please rate if helpfull

Re: dot1x interface config interpretation

davinci — Mon, 15 Apr 2019 20:51:33 GMT

awesome, thanks for the comments

Re: dot1x interface config interpretation

davinci — Wed, 13 Nov 2019 16:15:54 GMT

I have a problem where workstations (supplicants) keep getting kicked into the guest vlan 27 seemingly inadvertently. After I shut/no shut the port then they regain access via regular data vlan 22. What could possibly be the reason? Is there a workaround or way to eliminate this issue from occuring?