Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6101
Views
5
Helpful
2
Replies

Authentication Failed and No Response VLAN

fouzan.work
Level 1
Level 1

‎05-02-2011 07:45 PM - edited ‎03-10-2019 06:02 PM

Documentation states:

I'm running 12.2(33)SXI. The documentation states:

With Cisco IOS Release 12.2(33)SXH and later releases, when you configure a guest VLAN, clients that are not 802.1X-capable are put into the guest VLAN when the server does not receive a response to its EAP request/identity frame. Clients that are 802.1X-capable but that fail authentication are not granted network access. When operating as a guest VLAN, a port functions in multiple-hosts mode regardless of the configured host mode of the port.

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1135086

I've configured the following (in addition to the normal 802.1x commands) on the port to which the client is connected:

authentication event no-response action authorize vlan 100

&

authentication event fail action authorize vlan 100

Where vlan 100 is the guest VLAN--i.e. I want any client that has either 1) no 802.1x supplicant configured on the workstation or 2) does not have a valid login/password, to be placed on this VLAN. The problem I run into is that neither of these two things are happening. I can authenticate users with valid login credentials against AD and internal database but when a user without valid credentials attempts to log on or one without a supplicant attempts to connect, I see the debugs in the switch just sending EAP polls to the client. I would expect that it should put the client on the guest VLAN after the attempts time out or if the user provides invalid credentials. This doesn't happen. Please advise. Thanks.

2 people had this problem
Labels:
0 Helpful
2 Replies 2

b.julin
Level 3
Level 3

‎05-09-2011 01:16 PM

What's your host-mode?  If you are running in multi-auth, guest vlan might not work, though you might be the first victim of this on a router versus a switch...

See this other thread here:

https://supportforums.cisco.com/thread/2045442?tstart=0

0 Helpful

fouzan.work
Level 1
Level 1
In response to b.julin

‎05-10-2011 05:54 AM

It seems that the following command seemed to do the trick for us:

dot1x guest-vlan supplicant

Basically, even though I had the guest VLAN specified at the interface level, until I entered the above command at the global level, the client (that has no 802.1x supplicant or one that entered wrong credentials) was not being placed in the guest VLAN. Once I entered the above command, it seems to be getting placed in the guest VLAN.

Customers Also Viewed These Support Documents