le 03-12-2024 06:36 AM
Hello,
I am in the process of configuring 802.1X authentication in my company. However, I am encountering an issue with implementing authentication for the switches themselves.
I have set up a lab that includes the following equipment:
The following diagram illustrates the lab setup:
The G0/1 port of switch SW1 is configured as follows:
switchport mode access
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
switchport nonegotiate
The G0/2 port of switch SW2 is configured as follows:
switchport mode trunk
dot1x pae supplicant
dot1x supplicant eap profile auth_switch
dot1x credentials auth_switch
switchport nonegotiate
eap profile auth_switch
method mschapv2
exit
dot1x credentials auth_switch
username switch
password 0 ****************
From the RADIUS server, authentication is successful, and the SW2 switch is properly authenticated. Following successful authentication, the RADIUS attribute Cisco-AV-pair "device-traffic-class=switch" is sent to switch the G0/1 port of SW1 to trunk mode.
However, here is what I am getting:
Dec 2 16:27:36.097: Applying command... 'no switchport access vlan 1' at Gi1/0/1
Dec 2 16:27:36.097: Applying command... 'no switchport nonegotiate' at Gi1/0/1
Dec 2 16:27:36.097: Applying command... 'switchport mode trunk' at Gi1/0/1
Dec 2 16:27:36.104: Applying command... 'switchport trunk native vlan 1' at Gi1/0/1
Dec 2 16:27:36.108: Applying command... 'spanning-tree portfast trunk' at Gi1/0/1
Dec 2 16:27:36.122: Applying command... 'no switchport nonegotiate' at Gi1/0/1
Dec 2 16:27:36.125: Applying command... 'switchport mode access' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'no switchport trunk native vlan 1' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'no spanning-tree portfast trunk' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'switchport access vlan 1' at Gi1/0/1
Dec 2 16:27:36.136: Applying command... 'spanning-tree portfast' at Gi1/0/1
Dec 2 16:27:36.136: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0022.1452.4579) on Interface Gi1/0/1 AuditSessionID C0A806670000000F002062FC
The RADIUS attribute does switch the port to 'trunk' mode, but the port switches back to 'access' mode immediately afterward. Additionally, on the G0/2 port of the SW2 switch, the port initially configured in 'trunk' mode now appears as 'unassigned':
SW2#sh int G1/0/2 status
Port Name Status Vlan Duplex Speed Type
Gi1/0/2 notconnect unassigned a-full a-100 10/100/1000BaseTX
I also do not understand the event "%DOT1X-5-RESULT_OVERRIDE".
I therefore conducted additional tests with another Cisco 2960X switch (IOS 15.0(2)EX5) and a Cisco 3560 switch (IOS 15.0(2)SE5). Authentication is once again successful, and the G0/1 port of the SW1 switch transitions to 'trunk' mode and stays there. Moreover, the G0/2 port of the SW2 switch remains in 'trunk' mode and does not switch to 'unassigned'.
My question is as follows: Does the latest IOS version for Cisco 2960X switches not support 802.1X authentication for switches in conjunction with the RADIUS attribute? If it is unrelated, what could be causing the issue?
Thank you in advance for your response.
le 03-12-2024 06:44 AM
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html
this feature called NEAT
check link
MHM
le 04-12-2024 03:24 AM
Thank you for your response.
I followed this procedure carefully when creating the laboratory. However, my issue still persists.
In the procedure, the events look like:
Oct 15 13:51:03.723: Applying command... 'no switchport access vlan 1' at Fa0/6
Oct 15 13:51:03.739: Applying command... 'no switchport nonegotiate' at Fa0/6
Oct 15 13:51:03.748: Applying command... 'switchport trunk encapsulation dot1q' at Fa0/6
Oct 15 13:51:03.756: Applying command... 'switchport mode trunk' at Fa0/6
Oct 15 13:51:03.756: Applying command... 'switchport trunk native vlan 1' at Fa0/6
Oct 15 13:51:03.764: Applying command... 'spanning-tree portfast trunk' at Fa0/6
Oct 15 13:51:04.805: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.0d55.2187) on Interface Fa0/6 AuditSessionID 0A3039E10000000600757ABB
In my laboratory, the events look like:
Dec 2 16:27:36.097: Applying command... 'no switchport access vlan 1' at Gi1/0/1
Dec 2 16:27:36.097: Applying command... 'no switchport nonegotiate' at Gi1/0/1
Dec 2 16:27:36.097: Applying command... 'switchport mode trunk' at Gi1/0/1
Dec 2 16:27:36.104: Applying command... 'switchport trunk native vlan 1' at Gi1/0/1
Dec 2 16:27:36.108: Applying command... 'spanning-tree portfast trunk' at Gi1/0/1
Dec 2 16:27:36.122: Applying command... 'no switchport nonegotiate' at Gi1/0/1
Dec 2 16:27:36.125: Applying command... 'switchport mode access' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'no switchport trunk native vlan 1' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'no spanning-tree portfast trunk' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'switchport access vlan 1' at Gi1/0/1
Dec 2 16:27:36.136: Applying command... 'spanning-tree portfast' at Gi1/0/1
Dec 2 16:27:36.136: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0022.1452.4579) on Interface Gi1/0/1 AuditSessionID C0A806670000000F002062FC
I don’t understand why the port state switches back to access mode after being set to trunk mode.
Thank you in advance.
le 04-12-2024 05:37 AM
Découvrez et enregistrez vos notes préférées. Revenez pour trouver les réponses d'experts, des guides étape par étape, des sujets récents et bien plus encore.
Êtes-vous nouveau ici? Commencez par ces conseils. Comment utiliser la communauté Guide pour les nouveaux membres
Parcourez les liens directs de la Communauté et profitez de contenus personnalisés en français