802.1x function issue: Guest device pulling wrong IP for different VLAN than guest VLAN

s-daly · ‎04-19-2013

Hello:

I'm running a C881W router, which has an integrated 4-port switch, running code 15.2(4)M2. I'm running 802.1x wired auth with a guest VLAN. Here's the pertinent config:

aaa new-model

!

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authentication dot1x default group radius

aaa authorization console

aaa authorization exec default group radius local

aaa accounting exec default start-stop group radius

!

ip dhcp pool SOHO1

network 10.11.2.0 255.255.255.224

default-router 10.11.2.1

domain-name dwt.com

dns-server 10.0.16.229 192.168.143.11

netbios-name-server 10.0.16.229 192.168.143.11

netbios-node-type h-node

option 43 hex f104.0a00.332e

!

ip dhcp pool VoIP1

network 10.11.2.32 255.255.255.224

default-router 10.11.2.33

domain-name dwt.com

dns-server 10.0.16.229 192.168.143.11

option 150 ip 10.0.216.20 10.0.216.21

!

ip dhcp pool Guest1

network 192.168.254.0 255.255.255.224

default-router 192.168.254.1

dns-server 8.8.4.4 8.8.8.8

domain-name guest.access.info

!

dot1x system-auth-control

dot1x guest-vlan supplicant

!

! all the switchports on this router look like this

interface FastEthernet0

switchport voice vlan 2

no ip address

authentication event fail retry 1 action authorize vlan 3

authentication event server dead action reinitialize vlan 3

authentication event no-response action authorize vlan 3

authentication port-control auto

dot1x pae authenticator

dot1x timeout tx-period 5

spanning-tree portfast

!

interface Vlan1

ip address 10.11.2.1 255.255.255.224

ip nat inside

ip virtual-reassembly in

!

interface Vlan2

description voice vlan

ip address 10.11.2.33 255.255.255.224

!

interface Vlan3

description guest vlan

ip address 192.168.254.1 255.255.255.224

ip access-group GuestAccessEXT1 in

ip nat inside

ip virtual-reassembly in

!

Vlan 1 has access to the corporate network, vlan 3 is the guest vlan with Internet access only.

Anyway, when I have a device configured for 801.x authentication it works fine, auth succeeds, the port is assigned to vlan 1, and the deivce has the necessary access. We're good there.

When I have a device that does not authenticate, and need it to be assign to the guest vlan, it appears the 802.1x piece is working:

Apr 19 13:51:29 PDT: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0 AuditSessionID 0A00F4010000001B0DC0ACE4
Apr 19 13:51:29 PDT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0 AuditSessionID 0A00F4010000001B0DC0ACE4
Apr 19 13:51:29 PDT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0 AuditSessionID 0A00F4010000001B0DC0ACE4
Apr 19 13:51:29 PDT: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0 AuditSessionID 0A00F4010000001B0DC0ACE4
Apr 19 13:51:29 PDT: %AUTHMGR-5-VLANASSIGN: VLAN 3 assigned to Interface Fa0 AuditSessionID 0A00F4010000001B0DC0ACE4
Apr 19 13:51:29 PDT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0 AuditSessionID 0A00F4010000001B0DC0ACE4

Also, 'show int f0 switchport' successfully shows the port being assinged to vlan 3, the guest vlan.

However, the DHCP assignment goes terribly awry, for the guest device pulls an IP for the wrong VLAN:

C:\Users\dalys>ipconfig /all

. . .

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix . : dwt.com
   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
   Physical Address. . . . . . . . . : F0-DE-F1-E1-00-86
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.11.2.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Lease Obtained. . . . . . . . . . : Friday, April 19, 2013 8:48:01 AM
   Lease Expires . . . . . . . . . . : Saturday, April 20, 2013 8:47:59 AM
   Default Gateway . . . . . . . . . : 10.11.2.1

DHCP Server . . . . . . . . . . . : 10.11.2.1

DHCPv6 IAID . . . . . . . . . . . : 250666737
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-C5-9C-CD-F0-DE-F1-E1-00-86

DNS Servers . . . . . . . . . . . : 10.0.16.229

192.168.143.11

Primary WINS Server . . . . . . . : 10.0.16.229

192.168.143.11

NetBIOS over Tcpip. . . . . . . . : Enabled

At this point, I have absolutely no connectivity, no corporate access (which is what I expect), and no Internet (which is a problem). However, if I manually release and renew the IP using ipconfig, it pulls the correct IP for the correct VLAN:

C:\Users\dalys>ipconfig /release

C:\Users\dalys>ipconfig /renew

C:\Users\dalys>ipconfig /all

. . .

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : guest.access.info

   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
   Physical Address. . . . . . . . . : F0-DE-F1-E1-00-86
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.254.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224

Default Gateway . . . . . . . . . : 192.168.254.1

DHCP Server . . . . . . . . . . . : 192.168.254.1

DHCPv6 IAID . . . . . . . . . . . : 250666737
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-C5-9C-CD-F0-DE-F1-E1-00-86

DNS Servers . . . . . . . . . . . : 8.8.4.4

8.8.8.8

And now I have Internet access.

So, what gives? Why do I initially receive an IP for the wrong VLAN and network? Am I missing some configuration? I would anticipate that the guest device would automatically be assinged an IP to the guest vlan based on the auth failure from the log, but this obviously isn't happening. Any ideas?

Amjad Abdullah · ‎04-19-2013

I would say that the first attempt the client does not get an ip at all but it refers back to the last known IP it had. That's why when you release and renew it goes to choose the correct ip address.

What you can do is to connect successfully to the GUEST network with correct ip (after the release/renew). Now you disconnect the cable and connect back it again. What IP address that you'll get?

You can also collect some packet capture on the client adapter to see the DHCP process. I would say the client sends a request but does not receive a response.

Knowing the issue with the DHCP scope/process that can be troubleshooted accordingly from that point of view.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Tarik Admani · ‎04-21-2013

I took at the release notes for the issue you are experiencing and didnt see any bugs that match this condition.

I think Amjad hit it on the head by providing the steps to troubleshoot this issue which should give you an answer. Also if you take a look at the MAC address table on the interface periodically during authentication. It would be interesting to see if the MAC address is added to the table momentarily before the auth manager makes the decision to place the client on the guest vlan.

Thanks,

Sent from Cisco Technical Support iPad App

bravotom99 · ‎10-17-2013

I think you may be hitting bug CSCug19522. I have been working with Cisco on this for a while now. From what I see on any code 15.2 or higher on the 881, DHCP give out an IP address from the trusted VLAN as soon as anything is plugged into the port. If you do a 'show auth sessions', you'll see that dot1x is still running but if do a 'show ip dhcp binding', you'll see an IP was already given out.

The machine will eventually fail and the 881 thinks it gave out a guest VLAN IP however the laptop already got an IP from when it was first plugged in. This is why ipconfig /release and /renew ends up with the correct IP