11-14-2012 12:21 PM - edited 03-10-2019 07:47 PM
Hello All,
Configuring dot1x on our access layer switch-ports and am having some issues with devices that fail authentication. This is the current configuration on the switch-port:
switchport mode access
switchport voice vlan 38
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x timeout server-timeout 10
dot1x timeout reauth-period server
dot1x timeout tx-period 10
dot1x timeout supp-timeout 3
dot1x max-req 3
dot1x max-reauth-req 3
dot1x reauthentication
dot1x critical
dot1x critical recovery action reinitialize
dot1x auth-fail vlan 7
dot1x guest-vlan 7
dot1x critical vlan 36
spanning-tree portfast
spanning-tree bpduguard enable
When a non-employee connects they go through the authentication process and eventually fail dot1x and mab and get placed into the designated guest vlan 7. If you do a "show int gx/x status" on that switch-port it shows them connected and in that vlan 7. If you do a "show dot1x int gx/x details" it also shows the port as authorized (By Guest-Vlan) and the vlan policy is 7. The problem is the user never gets a valid ip address - they just receive a 169.x.x.x. Anyone have any experience with this type of issues or have any recommendations?
Thanks,
Brian
Solved! Go to Solution.
11-14-2012 05:08 PM
- First off, your switch commands tell me you are using an old software on your switch, you should upgrade it firstly, there has been many bug fixed and enhancements to dot1x/mab in recent releases
- Your problem is probably that your guest dhcp client is timing out before you are done with dot1x and mab, susally adjusting tx-period to a lower number could help the time it takes before you reach the guest vlan, but could also have an impact on your machines that are running dot1x, you would have to try some different values. Also using Windows XP SP3 or Windows 7, helps as well on your dot1x machines, and finally using AnyConnect NAM supplicant will make it work fine without having problems when adjusting dot1x timers on your switch.
- With the new software i would go with default timers, maybe change tx-period to 5 secs, and then use the "authentication order mab dot1x" and "authentication priority mab dot1x", also having your guest vlan as your default vlan, will usually also solve the problem of guests having to do a new dhcp reqeust once aauthorized, however you could run into problems with stuff you wan't to use mab on.
11-14-2012 05:08 PM
- First off, your switch commands tell me you are using an old software on your switch, you should upgrade it firstly, there has been many bug fixed and enhancements to dot1x/mab in recent releases
- Your problem is probably that your guest dhcp client is timing out before you are done with dot1x and mab, susally adjusting tx-period to a lower number could help the time it takes before you reach the guest vlan, but could also have an impact on your machines that are running dot1x, you would have to try some different values. Also using Windows XP SP3 or Windows 7, helps as well on your dot1x machines, and finally using AnyConnect NAM supplicant will make it work fine without having problems when adjusting dot1x timers on your switch.
- With the new software i would go with default timers, maybe change tx-period to 5 secs, and then use the "authentication order mab dot1x" and "authentication priority mab dot1x", also having your guest vlan as your default vlan, will usually also solve the problem of guests having to do a new dhcp reqeust once aauthorized, however you could run into problems with stuff you wan't to use mab on.
11-15-2012 08:12 AM
Jan,
Thanks for your recommendations - looks like we're going to upgrade to cat4500e-entservicesk9-mz.122-53.SG4 and hopefully that'll resolve our issues. I'll post an update afterwards to let everyone know.
Thanks,
Brian
11-20-2012 10:50 AM
After upgrading to cat4500e-entservicesk9-mz.122-53.SG4 all dot1x parameters worked fine! Thanks for your assistance.
Brian
11-20-2012 11:37 AM
Thats great, good luck with your dot1x setup.
Jan
08-16-2018 12:43 PM
Hello Guys,
I Configure mac authentication bypass with NPS server and its working if I add mac-address in active directory. But for Unknown devices ports are still going error-disable state 9(Orange) . instead it should go in guest vlan.
Please see my configuration and let me know if I am missing anything.
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network deafult group radius
aaa accounting dot1x default start-stop group radius (i dont know the purpose of this command)
dot1x system-auth-control
Interface G1/0/3
switchport mode access
authentication event fail action authorize vlan 10
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
mab
!
Thats all I configure , basically i just to want to use mac-address from NPS to allocate vlans and If it fails then switch just assign Guest Vlan.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide