https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657913#M422203 <HTML><HEAD></HEAD><BODY><P>OK, so apologies. There's a fine line b/t auth-fail and auth-timeout ;-). You need the auth-fail-vlan if you ever want to try and give network access to something that actually fails authc. Please reference this with your security policies BTW.</P><P></P><P>If you need to take a look at the real-time state on the port, just repeat the "show dot1x interface <M>" command.</M></P><P></P><P>Auth failure can block access for a machine (b/c it's supposed to be default). Auth timeout can block access for a machine (b/c it's supposed to by default). Typcially, the authority for this is your IAS server, so authc presumably works successfully to unblock access.</P><P></P><P>Does this help?</P><P></P></BODY></HTML> Tue, 02 Jan 2007 15:41:52 GMT jafrazie 2007-01-02T15:41:52Z https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657910#M422200 <P>Hi all,</P><P></P><P>I'm implementing 802.1x using Catalyst 3560 and MS IAS as radius server. The plan is, every PC needs to authenticate using PEAP with radius and assigned to a VLAN. Fail authentication will be assigned to guest VLAN.</P><P></P><P>The problem is when I'm testing a PC, set the PC withouth 802.1x enabled, plug it to the 3560 port, the port keeps that PC packets discarded forever. I remove dot1x configuration on the interface, but it keep discard all packets (can't ping anywhere). When I plugged the PC to other port with the same configuration (no dot1x), it works. I have tried shut and no shut the interface, disable - enable devices, remove config and etc but the PC can't ping anywhere.</P><P></P><P>I'm happy to paste the config. Could anyone please explain me why it happens and what is the solution? Many thanks.</P> Sun, 10 Mar 2019 21:53:40 GMT https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657910#M422200 rpratikno 2019-03-10T21:53:40Z https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657911#M422201 <HTML><HEAD></HEAD><BODY><P>Here's an example config that should work:</P><P>interface GigabitEthernet1/0/5</P><P> switchport access vlan 31</P><P> switchport mode access </P><P> dot1x pae authenticator</P><P> dot1x port-control auto</P><P> dot1x guest-vlan 35</P><P> dot1x auth-fail vlan 35</P><P>end </P><P></P><P>This should NOT keep a non-1x machine from accessing the network forever. With the above, and default timers, it's a 90-sec timeout of 802.1X. You can tweak the tx-period and the maz-reauth-req variable to get this down to 2-sec if you wish. If you remove 802.1X, then this should also not discard packets. If the 2 items above are truly occurring, then you have hit a software bug, and a TAC case should be opened immediately. Are you sure something like DHCP just hasn't timed out on you though?</P><P></P><P>NOTE: The config above has vlan 35 for the guest-vlan being equal to the auth-fail-vlan based on you stating the need for this above. It could be different than the guest-vlan if you wanted it to be. Either/both could be the same vlan as what's statically configured on the port as well [31].</P><P></P><P>Hope this helps,</P></BODY></HTML> Fri, 29 Dec 2006 17:13:59 GMT https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657911#M422201 jafrazie 2006-12-29T17:13:59Z https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657912#M422202 <HTML><HEAD></HEAD><BODY><P>Hi jafrazie</P><P></P><P>Thank you for your reply.</P><P></P><P>Seem my IOS 12.2-25(SEB4) didn't support dot1x auth-fail. I need to update my IOS first and let you up-to-date.</P><P></P><P>Anyway, is there any command to refresh dot1x interface status or do you have any idea what makes the switch interface block the machine? At the moment, the port keeps blocking the specific machine. I don't know whether the IAS or Switch has the authority to unblock it. Your opinion will be highly appreciated.</P><P></P><P>Thanks again.</P></BODY></HTML> Tue, 02 Jan 2007 00:52:55 GMT https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657912#M422202 rpratikno 2007-01-02T00:52:55Z https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657913#M422203 <HTML><HEAD></HEAD><BODY><P>OK, so apologies. There's a fine line b/t auth-fail and auth-timeout ;-). You need the auth-fail-vlan if you ever want to try and give network access to something that actually fails authc. Please reference this with your security policies BTW.</P><P></P><P>If you need to take a look at the real-time state on the port, just repeat the "show dot1x interface <M>" command.</M></P><P></P><P>Auth failure can block access for a machine (b/c it's supposed to be default). Auth timeout can block access for a machine (b/c it's supposed to by default). Typcially, the authority for this is your IAS server, so authc presumably works successfully to unblock access.</P><P></P><P>Does this help?</P><P></P></BODY></HTML> Tue, 02 Jan 2007 15:41:52 GMT https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657913#M422203 jafrazie 2007-01-02T15:41:52Z https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657914#M422204 <HTML><HEAD></HEAD><BODY><P>Hi jafrazie,</P><P></P><P>Thanks again for your explanations.</P><P></P><P>With the new IOS, it looks fine now. Auth-fail definitely a good feature compare to previous limited dot1x commands.</P><P></P><P>With my problem, I'm sure auth timeout is not the one that block the machine, I did let the machine ping -t the gateway for couple of minutes. The "show dot1x interface" didn't show any error state. It even didn't give access to guest VLAN. Still wondering what cause it.</P><P></P><P>Do you mind to explain me the why we need guest-vlan if we already has auth-fail?</P><P></P><P></P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Wed, 03 Jan 2007 02:51:15 GMT https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657914#M422204 rpratikno 2007-01-03T02:51:15Z https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657915#M422205 <HTML><HEAD></HEAD><BODY><P>The Guest-VLAN can give network access to 802.1X-incapable devices (like a printer). Instead of implicitly denying access (which is the default), authentication can timeout, and the port can be enabled nonetheless.</P><P></P><P>The Auth-Fail-VLAN is similar to the above, except that it addresses an actual failure or invaliad credantials (instead of lack of credentials entirely). </P><P></P><P>Hope this helps,</P></BODY></HTML> Wed, 03 Jan 2007 05:13:13 GMT https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657915#M422205 jafrazie 2007-01-03T05:13:13Z https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657916#M422206 <HTML><HEAD></HEAD><BODY><P>it does help <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span> thanks for all your explanation and helps.</P></BODY></HTML> Thu, 04 Jan 2007 00:19:34 GMT https://community.cisco.com/t5/network-access-control/802-1x-fail-authentication-packets-keep-discarded/m-p/657916#M422206 rpratikno 2007-01-04T00:19:34Z