cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
843
Views
0
Helpful
2
Replies

802.1x Dynamic VLAN Switching Question

Trying to set up 802.1x dynamic VLAN switching, and have a question. I think I've gotten it working except for one part. The VLAN on a protected interface is never getting switched. I can see an entry in the ACS stating that it applied the appropriate VLAN via RADIUS response, but it never changes on the switch.

Environment:

ACS Express 5.0.1

C3550 running c3550-ipbasek9-mz.122-44.SE6.bin

Switch config:

aaa new-model

aaa group server radius dot1x

server-private 10.10.1.4 auth-port 1645 acct-port 1646 key 7 071C244F5C0C0D544541

aaa authentication dot1x default group dot1x
dot1x system-auth-control
dot1x guest-vlan supplicant
interface FastEthernet0/3
switchport access vlan 3
switchport mode access
speed 100
duplex full
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast
ip radius source-interface FastEthernet0/1 vrf default!
radius-server host 10.10.1.4 auth-port 1645 acct-port 1646 key 7 01000307490E125E731F
Am I missing something easy?

2 Replies 2

The output of "debug radius"  should help, can you capture it and post it?

It looks like "aaa authorization network default group dot1x" was the missing command I needed to get this working.

The only issue I'm having now is that if the client fails to meet the authentication requirements, the line status gets set as "down"