Hi all,
I'm trying to configure ports on switches Catalyst 2960 , 2960X and 9200L using host-mode multi-auth but leaving also the fail vlan because we want to maintain a recovery method to guarantee access to devices also in case MAB and dot1x fail.
We are using as authentication order mab and then dot1x ( because we have some issues with ip phones certificates so need to use mab as first attempt )
Problem arise during first test on 2960 using devices that are not able to use dot1x and mac address are not recognized by radius system.With multi-auth mode the port remain not authorized and mac addres go in drop state.
I found in some documentation ( not in all documentation ) that with multi-auth mode guest vlan and fail vlan are not enabled even if I can configure it.
In cat9200L the behaviour seems to be different as I see the device in authorized state, so my question is : do you have tried also this type of setup ? It is a Platform dependent behaviour or it correct that with multi-authentication mode is not permited to use guest and fail vlan ?
Below an example
on cat9200L C9200L-24P-4G 16.12.02 :
---------------------------------------
SW-RM052-V-0-1#show run int gi1/0/21
Building configuration...
Current configuration : 1053 bytes
!
interface GigabitEthernet1/0/21
description verso presa Lan Telefono IP + PC
switchport mode access
switchport voice vlan 101
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security
authentication control-direction in
authentication event fail action authorize vlan 1
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
trust device cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input PC-SoftPhone+HardPhone
service-policy output AutoQos-4.0-Output-Policy
end
SW-test1# show authentication sessions interface gigabitEthernet 1/0/21 details
Interface: GigabitEthernet1/0/21
IIF-ID: 0x1A681F3E
MAC Address: d014.111f.f8e6
IPv6 Address: Unknown
IPv4 Address: 10.98.199.19
User-Name: d014111ff8e6
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: 1530470A0000005908163060
Acct Session ID: 0x00000043
Handle: 0xf200004f
Current Policy: POLICY_Gi1/0/21
Local Policies:
Service Template: GUEST_VLAN_Gi1/0/21 (priority 150)
Vlan Group: Vlan: 1
Server Policies:
Method status list:
Method State
dot1x Stopped
mab Stopped
SW-test1#ping 10.98.199.19
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.98.199.19, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
SW-RM052-V-0-1#show mac ad
SW-RM052-V-0-1#show mac address-table int
SW-RM052-V-0-1#show mac address-table interface gi
SW-RM052-V-0-1#show mac address-table interface gigabitEthernet 1/0/21
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 d014.111f.f8e6 STATIC Gi1/0/21
Total Mac Addresses for this criterion: 1
SW-test1#
On 2960 WS-C2960-24LT-L 12.2(55)SE12 :
-----------------------------------------
SW-test2#show run int f0/2
Building configuration...
Current configuration : 890 bytes
!
interface FastEthernet0/2
description verso presa Lan Telefono IP + PC
switchport mode access
switchport voice vlan 101
srr-queue bandwidth share 10 10 60 20
priority-queue out
authentication control-direction in
authentication event fail action authorize vlan 1
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input PC-SoftPhone+HardPhone
end
SW-VR034-0-1-NEW#show authentication sessions interface fastEthernet 0/2
Interface: FastEthernet0/2
MAC Address: 0023.1600.7a28
IP Address: 10.107.34.212
User-Name: 002316007a28
Status: Authz Failed
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A5B3EA50000020937E83600
Acct Session ID: 0x000010C1
Handle: 0xBA000209
Runnable methods list:
Method State
mab Failed over
dot1x Failed over
SW-VR034-0-1-NEW#show mac address-table interface fastEthernet 0/2
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0023.1600.7a28 DYNAMIC Drop
Total Mac Addresses for this criterion: 1
SW-VR034-0-1-NEW#
