Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1718
Views
6
Helpful
7
Replies

Guest Vlan - Assignment Error 3560

ricardorojas123
Level 1
Level 1

‎05-19-2013 08:23 PM - edited ‎03-10-2019 08:26 PM

Hi,

I am configuring 802.1X in a 3560 Switch, my Radius server is a Microsoft IAS, when I connect a station of a guest user, the guest-vlan is not assigned in the port, and I have these logs:

May  8 21:23:02: dot1x-ev:Received an EAP Timeout on FastEthernet0/8 for mac 0000.0000.0000

May  8 21:23:02: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable.  Supplicant disabled and EAPOL seen on port FastEthernet0/8.

May  8 21:23:02: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable.  Supplicant disabled and EAPOL seen on port FastEthernet0/8.

May  8 21:23:02: dot1x-ev:Resetting the client 0000.0000.0000

May  8 21:23:03: dot1x-ev:Resetting the client 0000.0000.0000

May  8 21:23:04: dot1x-ev:FastEthernet0/8:Sending EAPOL packet to group PAE address

May  8 21:23:04: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/8.

May  8 21:23:04: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/8

The configuration of Switch:

vlan 7

name data

vlan 31

name guest

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa session-id common

dot1x system-auth-control

radius-server host <ip>  auth-port 1645 acct-port 1646 key <key>

radius-server source-ports 1645-1646

interface FastEthernet0/8

switchport access vlan 7

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 5

dot1x timeout tx-period 5

dot1x timeout supp-timeout 5

dot1x max-req 1

dot1x max-reauth-req 1

dot1x guest-vlan 31

dot1x auth-fail vlan 200

dot1x auth-fail max-attempts 1

dot1x critical vlan 200

spanning-tree portfast

Additional Information: IOS: c3560-ipbase-mz.122-25.SEE3, Model: WS-C3560-48PS-S

I hope you can help me with the problem and I appreciate your help!

Note: the authentication of the corporative stations is succesfull:

Labels:
0 Helpful
7 Replies 7

ricardorojas123
Level 1
Level 1

‎05-22-2013 06:09 AM

Hi, friends any suggestions?

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to ricardorojas123

‎05-22-2013 06:39 AM

When you configure a guest VLAN, clients that are  not 802.1x-capable are put into the guest VLAN when the server does not  receive a response to its EAP request/identity frame. Clients that  are 802.1x-capable but that fail authentication are not granted network  access. The switch supports guest VLANs in single-host or multiple-hosts  mode.

Few questions:

1.] What dot1x mode have you configured on interface fa0/8. I don't see any.

2.] What kind of end-client we have connected on this port? Is that dot1x capable?

With Cisco IOS Release 12.1(22)EA2 and later, the  switch maintains the EAPOL packet history. If an EAPOL packet is  detected on the interface during the lifetime of the link, the switch  determines that the device connected to that interface is an  802.1x-capable supplicant, and the interface does not change to the  guest VLAN state.

Jatin Katyal


- Do rate helpful posts -

~Jatin

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎05-22-2013 07:07 AM

You can enable optional guest VLAN behavior by using the dot1x guest-vlan supplicant global configuration command. When enabled, the switch does not  maintain the EAPOL packet history and allows clients that fail  authentication access to the guest VLAN, regardless of whether EAPOL  packets had been detected on the interface.

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

ricardorojas123
Level 1
Level 1
In response to Jatin Katyal

‎05-22-2013 01:45 PM

Hi Jatin,

My answers to your questions:

1.] What dot1x mode have you configured on interface fa0/8. I don't see any.

interface FastEthernet0/8

dot1x host-mode multi-host

2.] What kind of end-client we have connected on this port? Is that dot1x capable?

The end-client is a Windows 7 not 802.1x-capable.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to ricardorojas123

‎05-22-2013 06:54 PM

I wanted to know the dot1x mode because Guest VLANs are   supported on 802.1x ports in single-host or multiple-hosts mode. Could   you please delete the configuration from the port and configure it only   for below listed config

interface FastEthernet0/8

switchport access vlan 7

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 31

dot1x auth-fail vlan 200

dot1x critical vlan 200

spanning-tree portfast

dot1x host mode could be single or multi host.

shutdown the port and unshutdown it again.

capture the debugs and command output.

show dot1x interface details

Jatin Katyal
- Do rate helpful posts -

Jatin Katyal


- Do rate helpful posts -

~Jatin

ricardorojas123
Level 1
Level 1
In response to Jatin Katyal

‎06-05-2013 02:06 PM

Hi Jatin,

I have uploaded the IOS to c3560-ipbase-mz.122-35.SE5, and now the guest vlan is working.

Thank you very much for your help

Now I will start to work with Cisco 2960 LAN Lite.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to ricardorojas123

‎06-05-2013 04:09 PM

Thanks for keep the thread updated.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful
Customers Also Viewed These Support Documents