Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2377
Views
0
Helpful
2
Replies

Multiauth: various DATA vlan on the same port

Go to solution
Yage
Level 1
Level 1

‎06-10-2021 01:44 PM

Hi,

Does authentication host-mode multi-auth option allow authorizing hosts from different vlans (DATA) on the same port?

Trying different configurations and the first host authorize succesfuly, and the second not. Separately both hosts authorize correctly.

I wanted to migrate from Huawei switches and this issue is stopping me.

Am I missing something in the configuration?

IOS 15.2

 

interface GigabitEthernet1/0/2
 switchport mode access
 authentication host-mode multi-auth
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast edge
#show authentication sessions

Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi1/0/2      0090.3328.ff71 dot1x   DATA    Unauth    C0A801DE000000270307F39D
Gi1/0/2      18a9.05e6.bdff dot1x   DATA    Auth      C0A801DE000000260307DDB9

Session count = 2
#show authentication sessions interface gigabitEthernet 1/0/2 details
            Interface:  GigabitEthernet1/0/2
          MAC Address:  0090.3328.ff71
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown
            User-Name:  user_test
               Status:  Unauthorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
    Common Session ID:  C0A801DE000000270307F39D
      Acct Session ID:  Unknown
               Handle:  0x9400000B
       Current Policy:  POLICY_Gi1/0/2

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
       Method           State

       dot1x            Authc Success

----------------------------------------
            Interface:  GigabitEthernet1/0/2
          MAC Address:  18a9.05e6.bdff
         IPv6 Address:  Unknown
         IPv4 Address:  192.168.103.80
            User-Name:  user@domain.local
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
    Common Session ID:  C0A801DE000000260307DDB9
      Acct Session ID:  0x00000018
               Handle:  0x9A00000A
       Current Policy:  POLICY_Gi1/0/2

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
           Vlan Group:  Vlan: 103

Method status list:
       Method           State

      dot1x             Authc Success

debug VLAN 103 and 108, both DATA VLAN:

 

AUTH-FEAT-SWITCH-PM-EVENT: dot1x_switch_is_auth_control_enabled auth_control is enabled
AUTH-FEAT-IPDT-EVENT: [18a9.05e6.bdff, Gi1/0/2] IP 192.168.103.80 update for Mac 18a9.05e6.bdff ignored as already present
AUTH-FEAT-MDA-EVENT: [0090.3328.ff71, Gi1/0/2] Get domain: DATA
AUTH-FEAT-MDA-EVENT: [0090.3328.ff71, Gi1/0/2] Get domain: DATA
AUTH-FEAT-SWITCH-CORE-EVENT: [Gi1/0/2] Find vlan on port: could not find vlan data for vlan 108
AUTH-FEAT-SWITCH-CORE-EVENT: [0090.3328.ff71, Gi1/0/2]  vlan assign called for client vlan = 108, domain = 1
AUTH-FEAT-SWITCH-CORE-EVENT: [Gi1/0/2] Find vlan on port: could not find vlan data for vlan 108
AUTH-FEAT-SWITCH-CORE-EVENT: [Gi1/0/2] Find vlan on port: found vlan 103, user count 2 fwd count 1, client count 1, pending delete 0
AUTH-FEAT-SWITCH-CORE-EVENT: [0090.3328.ff71, Gi1/0/2]  Deny vlan assignment,  vlan 108 is different than oper vlan 103
AUTH-FEAT-SWITCH-CORE-EVENT: [0090.3328.ff71, Gi1/0/2]  unauth for id 0x5800000B client port_opened 0x0
AUTH-FEAT-SWITCH-CORE-EVENT: [0090.3328.ff71, Gi1/0/2]  unauth for id 0x5800000B client port_opened 0x0
AUTH-FEAT-ACCT-EVENT: [0090.3328.ff71, Gi1/0/2] [Session 0x9400000B] Client authz change client_hndl=00000001, phase_result=Fail
%DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0090.3328.ff71) on Interface Gi1/0/2 AuditSessionID C0A801DE000000270307F39D

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Koltl
Level 7
Level 7

‎06-10-2021 02:45 PM

After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-12/configuration_guide/sec/b_1612_sec_9300_cg/configuring_ieee_802_1x_port_based_authentication.html#ID398

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Peter Koltl
Level 7
Level 7

‎06-10-2021 02:45 PM

After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-12/configuration_guide/sec/b_1612_sec_9300_cg/configuring_ieee_802_1x_port_based_authentication.html#ID398

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎06-10-2021 03:49 PM

"Multi-auth Per User VLAN assignment" is supported but only on the specific platforms and version of IOS or IOS-XE:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-12/configuration_guide/sec/b_1612_sec_9300_cg/configuring_ieee_802_1x_port_based_authentication.html#concept_4399A67822B44467858A3DD4B5613E1A

 

(Not an official list but I believe is correct)

  • Catalyst 2960X, 2960XR, 3560CX running 15.2(2)E+
  • Catalyst 3850, 3650 running 03.03.00SE
  • All Catalyst 9K with any IOS XE version
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents