cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4290
Views
0
Helpful
5
Replies

Dot1x Guest Vlan / Auth Fail Vlan Issues

Brian Saunders
Level 1
Level 1

Hello All,

Configuring dot1x on our access layer switch-ports and am having some issues with devices that fail authentication.  This is the current configuration on the switch-port:

switchport mode access

switchport voice vlan 38

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x timeout server-timeout 10

dot1x timeout reauth-period server

dot1x timeout tx-period 10

dot1x timeout supp-timeout 3

dot1x max-req 3

dot1x max-reauth-req 3

dot1x reauthentication

dot1x critical

dot1x critical recovery action reinitialize

dot1x auth-fail vlan 7

dot1x guest-vlan 7

dot1x critical vlan 36

spanning-tree portfast

spanning-tree bpduguard enable

When a non-employee connects they go through the authentication process and eventually fail dot1x and mab and get placed into the designated guest vlan 7.  If you do a "show int gx/x status" on that switch-port it shows them connected and in that vlan 7.  If you do a "show dot1x int gx/x details" it also shows the port as authorized (By Guest-Vlan) and the vlan policy is 7.  The problem is the user never gets a valid ip address - they just receive a 169.x.x.x.  Anyone have any experience with this type of issues or have any recommendations?

Thanks,

Brian

1 Accepted Solution

Accepted Solutions

jan.nielsen
Level 7
Level 7

- First off, your switch commands tell me you are using an old software on your switch, you should upgrade it firstly, there has been many bug fixed and enhancements to dot1x/mab in recent releases

- Your problem is probably that your guest dhcp client is timing out before you are done with dot1x and mab, susally adjusting tx-period to a lower number could help the time it takes before you reach the guest vlan, but could also have an impact on your machines that are running dot1x, you would have to try some different values. Also using Windows XP SP3 or Windows 7, helps as well on your dot1x machines, and finally using AnyConnect NAM supplicant will make it work fine without having problems when adjusting dot1x timers on your switch.

- With the new software i would go with default timers, maybe change tx-period to 5 secs, and then use the "authentication order mab dot1x" and "authentication priority mab dot1x", also having your guest vlan as your default vlan, will usually also solve the problem of guests having to do a new dhcp reqeust once aauthorized, however you could run into problems with stuff you wan't to use mab on.

View solution in original post

5 Replies 5

jan.nielsen
Level 7
Level 7

- First off, your switch commands tell me you are using an old software on your switch, you should upgrade it firstly, there has been many bug fixed and enhancements to dot1x/mab in recent releases

- Your problem is probably that your guest dhcp client is timing out before you are done with dot1x and mab, susally adjusting tx-period to a lower number could help the time it takes before you reach the guest vlan, but could also have an impact on your machines that are running dot1x, you would have to try some different values. Also using Windows XP SP3 or Windows 7, helps as well on your dot1x machines, and finally using AnyConnect NAM supplicant will make it work fine without having problems when adjusting dot1x timers on your switch.

- With the new software i would go with default timers, maybe change tx-period to 5 secs, and then use the "authentication order mab dot1x" and "authentication priority mab dot1x", also having your guest vlan as your default vlan, will usually also solve the problem of guests having to do a new dhcp reqeust once aauthorized, however you could run into problems with stuff you wan't to use mab on.

Jan,

Thanks for your recommendations - looks like we're going to upgrade to cat4500e-entservicesk9-mz.122-53.SG4 and hopefully that'll resolve our issues.  I'll post an update afterwards to let everyone know.

Thanks,

Brian 

After upgrading to cat4500e-entservicesk9-mz.122-53.SG4 all dot1x parameters worked fine!  Thanks for your assistance.

Brian

Thats great, good luck with your dot1x setup.

Jan

Hello Guys,

 

I Configure mac authentication bypass with NPS server and its working if I add mac-address in active directory.  But for Unknown devices ports are still going error-disable state 9(Orange) .  instead it should go in guest vlan.

 

Please see my configuration and let me know if I am missing anything.

 

aaa new-model

aaa authentication dot1x default group radius 

aaa authorization network deafult group radius

aaa  accounting dot1x default start-stop group radius   (i dont know the purpose of this command)

 

dot1x system-auth-control

 

Interface G1/0/3

switchport mode access

authentication event fail action authorize vlan 10

authentication host-mode multi-auth

authentication order mab

authentication port-control auto

mab

!

 

 

Thats all I configure , basically i just to want to use mac-address from NPS to allocate vlans and If it fails then switch just assign Guest Vlan.

 

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: