06-10-2021 01:44 PM
Hi,
Does authentication host-mode multi-auth option allow authorizing hosts from different vlans (DATA) on the same port?
Trying different configurations and the first host authorize succesfuly, and the second not. Separately both hosts authorize correctly.
I wanted to migrate from Huawei switches and this issue is stopping me.
Am I missing something in the configuration?
IOS 15.2
interface GigabitEthernet1/0/2 switchport mode access authentication host-mode multi-auth authentication port-control auto mab dot1x pae authenticator spanning-tree portfast edge
#show authentication sessions Interface MAC Address Method Domain Status Fg Session ID Gi1/0/2 0090.3328.ff71 dot1x DATA Unauth C0A801DE000000270307F39D Gi1/0/2 18a9.05e6.bdff dot1x DATA Auth C0A801DE000000260307DDB9 Session count = 2
#show authentication sessions interface gigabitEthernet 1/0/2 details Interface: GigabitEthernet1/0/2 MAC Address: 0090.3328.ff71 IPv6 Address: Unknown IPv4 Address: Unknown User-Name: user_test Status: Unauthorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: N/A Common Session ID: C0A801DE000000270307F39D Acct Session ID: Unknown Handle: 0x9400000B Current Policy: POLICY_Gi1/0/2 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Method status list: Method State dot1x Authc Success ---------------------------------------- Interface: GigabitEthernet1/0/2 MAC Address: 18a9.05e6.bdff IPv6 Address: Unknown IPv4 Address: 192.168.103.80 User-Name: user@domain.local Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: N/A Common Session ID: C0A801DE000000260307DDB9 Acct Session ID: 0x00000018 Handle: 0x9A00000A Current Policy: POLICY_Gi1/0/2 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Server Policies: Vlan Group: Vlan: 103 Method status list: Method State
dot1x Authc Success
debug VLAN 103 and 108, both DATA VLAN:
AUTH-FEAT-SWITCH-PM-EVENT: dot1x_switch_is_auth_control_enabled auth_control is enabled AUTH-FEAT-IPDT-EVENT: [18a9.05e6.bdff, Gi1/0/2] IP 192.168.103.80 update for Mac 18a9.05e6.bdff ignored as already present AUTH-FEAT-MDA-EVENT: [0090.3328.ff71, Gi1/0/2] Get domain: DATA AUTH-FEAT-MDA-EVENT: [0090.3328.ff71, Gi1/0/2] Get domain: DATA AUTH-FEAT-SWITCH-CORE-EVENT: [Gi1/0/2] Find vlan on port: could not find vlan data for vlan 108 AUTH-FEAT-SWITCH-CORE-EVENT: [0090.3328.ff71, Gi1/0/2] vlan assign called for client vlan = 108, domain = 1 AUTH-FEAT-SWITCH-CORE-EVENT: [Gi1/0/2] Find vlan on port: could not find vlan data for vlan 108 AUTH-FEAT-SWITCH-CORE-EVENT: [Gi1/0/2] Find vlan on port: found vlan 103, user count 2 fwd count 1, client count 1, pending delete 0 AUTH-FEAT-SWITCH-CORE-EVENT: [0090.3328.ff71, Gi1/0/2] Deny vlan assignment, vlan 108 is different than oper vlan 103 AUTH-FEAT-SWITCH-CORE-EVENT: [0090.3328.ff71, Gi1/0/2] unauth for id 0x5800000B client port_opened 0x0 AUTH-FEAT-SWITCH-CORE-EVENT: [0090.3328.ff71, Gi1/0/2] unauth for id 0x5800000B client port_opened 0x0 AUTH-FEAT-ACCT-EVENT: [0090.3328.ff71, Gi1/0/2] [Session 0x9400000B] Client authz change client_hndl=00000001, phase_result=Fail %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0090.3328.ff71) on Interface Gi1/0/2 AuditSessionID C0A801DE000000270307F39D
Solved! Go to Solution.
06-10-2021 02:45 PM
After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
06-10-2021 02:45 PM
After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
06-10-2021 03:49 PM
"Multi-auth Per User VLAN assignment" is supported but only on the specific platforms and version of IOS or IOS-XE:
(Not an official list but I believe is correct)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: