12-01-2014 11:26 AM - edited 03-10-2019 10:13 PM
Hello,
I'm deploying dot1x in the office and I'm having little difficulty with enabling both dot1x with mab and then fail over to the guest vlan.
A simple scenario where an end user device cannot provide authentication, I want the switch to automatically put the user on the guest vlan. I did not enable periodic authentication to lower down excessive authentications and I configured maximum attemps but the switch will constantly try to authenticate the device.
Switch model: WS-C2960-24LT-L with 15.0(2)SE6.
Switch configuration:
aaa accounting dot1x default start-stop group radius aaa authentication dot1x default group radius dot1x system-auth-control
Port configuration:
interface FastEthernet0/15 switchport access vlan 144 switchport mode access authentication event fail action next-method authentication event server dead action authorize vlan 550 authentication event no-response action authorize vlan 550 authentication host-mode single-host authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab dot1x pae authenticator dot1x max-req 3 dot1x max-reauth-req 1 spanning-tree portfast !
Any help will be greatly appreciated.
UPDATE: See comment below.
Solved! Go to Solution.
12-02-2014 10:11 PM
Good job on solving your own problem Oliver and for taking the time to update everyone here! (+5 from me). If your issue is solved you should mark the thread as answered ;)
12-01-2014 01:27 PM
I found a solution where 'event fail action next-method' would likely trigger the next authentication method without failing over. I also removed the priority and order commands as the switch will process on the intended order.
Here is the result:
interface FastEthernet0/16 switchport access vlan 144 switchport mode access authentication event fail action authorize vlan 550 authentication event server dead action authorize vlan 550 authentication event no-response action authorize vlan 550 authentication port-control auto authentication violation restrict mab dot1x pae authenticator dot1x max-req 3 dot1x max-reauth-req 1 spanning-tree portfast spanning-tree bpduguard enable end
Hope this help someone else.
12-02-2014 10:11 PM
Good job on solving your own problem Oliver and for taking the time to update everyone here! (+5 from me). If your issue is solved you should mark the thread as answered ;)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide