annuler
Affichage des résultats de 
Rechercher plutôt 
Vouliez-vous dire : 
cancel
331
Visites
2
Compliment
3
Réponses

Configuring IEEE 802.1x Port-Based Authentication

bstthomas
Level 1
Level 1

Hello,

I am in the process of configuring 802.1X authentication in my company. However, I am encountering an issue with implementing authentication for the switches themselves.

I have set up a lab that includes the following equipment:

  • 2 Cisco 2960X switches with the latest IOS version: 15.2(7)E11
  • 1 RADIUS server

The following diagram illustrates the lab setup:

bstthomas_0-1733235120770.png

The G0/1 port of switch SW1 is configured as follows:

switchport mode access
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
switchport nonegotiate

The G0/2 port of switch SW2 is configured as follows:

switchport mode trunk
dot1x pae supplicant
dot1x supplicant eap profile auth_switch
dot1x credentials auth_switch
switchport nonegotiate

eap profile auth_switch
method mschapv2
exit
dot1x credentials auth_switch
username switch
password 0 ****************

From the RADIUS server, authentication is successful, and the SW2 switch is properly authenticated. Following successful authentication, the RADIUS attribute Cisco-AV-pair "device-traffic-class=switch" is sent to switch the G0/1 port of SW1 to trunk mode.

However, here is what I am getting:

Dec 2 16:27:36.097: Applying command... 'no switchport access vlan 1' at Gi1/0/1
Dec 2 16:27:36.097: Applying command... 'no switchport nonegotiate' at Gi1/0/1
Dec 2 16:27:36.097: Applying command... 'switchport mode trunk' at Gi1/0/1
Dec 2 16:27:36.104: Applying command... 'switchport trunk native vlan 1' at Gi1/0/1
Dec 2 16:27:36.108: Applying command... 'spanning-tree portfast trunk' at Gi1/0/1
Dec 2 16:27:36.122: Applying command... 'no switchport nonegotiate' at Gi1/0/1

Dec 2 16:27:36.125: Applying command... 'switchport mode access' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'no switchport trunk native vlan 1' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'no spanning-tree portfast trunk' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'switchport access vlan 1' at Gi1/0/1
Dec 2 16:27:36.136: Applying command... 'spanning-tree portfast' at Gi1/0/1
Dec 2 16:27:36.136: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0022.1452.4579) on Interface Gi1/0/1 AuditSessionID C0A806670000000F002062FC

The RADIUS attribute does switch the port to 'trunk' mode, but the port switches back to 'access' mode immediately afterward. Additionally, on the G0/2 port of the SW2 switch, the port initially configured in 'trunk' mode now appears as 'unassigned':

SW2#sh int G1/0/2 status
Port Name Status Vlan Duplex Speed Type
Gi1/0/2 notconnect unassigned a-full a-100 10/100/1000BaseTX

 I also do not understand the event "%DOT1X-5-RESULT_OVERRIDE".

I therefore conducted additional tests with another Cisco 2960X switch (IOS 15.0(2)EX5) and a Cisco 3560 switch (IOS 15.0(2)SE5). Authentication is once again successful, and the G0/1 port of the SW1 switch transitions to 'trunk' mode and stays there. Moreover, the G0/2 port of the SW2 switch remains in 'trunk' mode and does not switch to 'unassigned'.

My question is as follows: Does the latest IOS version for Cisco 2960X switches not support 802.1X authentication for switches in conjunction with the RADIUS attribute? If it is unrelated, what could be causing the issue?

Thank you in advance for your response.

3 RÉPONSES 3

Thank you for your response.

I followed this procedure carefully when creating the laboratory. However, my issue still persists.

In the procedure, the events look like:

Oct 15 13:51:03.723: Applying command... 'no switchport access vlan 1' at Fa0/6
Oct 15 13:51:03.739: Applying command... 'no switchport nonegotiate' at Fa0/6
Oct 15 13:51:03.748: Applying command... 'switchport trunk encapsulation dot1q' at Fa0/6
Oct 15 13:51:03.756: Applying command... 'switchport mode trunk' at Fa0/6
Oct 15 13:51:03.756: Applying command... 'switchport trunk native vlan 1' at Fa0/6
Oct 15 13:51:03.764: Applying command... 'spanning-tree portfast trunk' at Fa0/6
Oct 15 13:51:04.805: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.0d55.2187) on Interface Fa0/6 AuditSessionID 0A3039E10000000600757ABB

In my laboratory, the events look like:

Dec 2 16:27:36.097: Applying command... 'no switchport access vlan 1' at Gi1/0/1
Dec 2 16:27:36.097: Applying command... 'no switchport nonegotiate' at Gi1/0/1
Dec 2 16:27:36.097: Applying command... 'switchport mode trunk' at Gi1/0/1
Dec 2 16:27:36.104: Applying command... 'switchport trunk native vlan 1' at Gi1/0/1
Dec 2 16:27:36.108: Applying command... 'spanning-tree portfast trunk' at Gi1/0/1
Dec 2 16:27:36.122: Applying command... 'no switchport nonegotiate' at Gi1/0/1

Dec 2 16:27:36.125: Applying command... 'switchport mode access' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'no switchport trunk native vlan 1' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'no spanning-tree portfast trunk' at Gi1/0/1
Dec 2 16:27:36.132: Applying command... 'switchport access vlan 1' at Gi1/0/1
Dec 2 16:27:36.136: Applying command... 'spanning-tree portfast' at Gi1/0/1
Dec 2 16:27:36.136: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0022.1452.4579) on Interface Gi1/0/1 AuditSessionID C0A806670000000F002062FC

I don’t understand why the port state switches back to access mode after being set to trunk mode.

Thank you in advance.