Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
651
Views
2
Helpful
3
Replies

NAC Guest VLAN not working as expected

Go to solution
JUANNN
Spotlight
Spotlight

‎05-17-2025 12:49 AM - edited ‎05-17-2025 02:51 AM

Hello,

I am doing a lab with hardware (c112X router using the switch module) with IEEE 802.1X and MAB. I am trying to achieve the following fail-over process that Cisco describes on this document:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/220919-troubleshoot-dot1x-on-catalyst-9000-seri.html

JUANNN_0-1747468290259.png

 

JUANNN_3-1747467734994.png

 

I have achieved almost everything except the part in red: when the client is NOT IEEE 802.1X capable, the switch sees a no-response event and proceeds to use MAB as expected....

JUANNN_2-1747467542349.png

So far so good...the timers match perfectly with what I configured too.

But the issue comes when MAB fails because the MAC address is not on the AAA Server Database. I was expecting, following the Cisco document, that when MAB fails due to "invalid MAC address" then the port operational VLAN becomes the GUEST VLAN. However, what happens in reality is that the authetication process keeps restarting, and failing, and restarting again, ...

Is there any misconfigurations in the port, or anything missing in order to achieve that?

Thanks,

Juan

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jens Albrecht
Level 4
Level 4

‎05-17-2025 02:12 AM

Hello @JUANNN,

you expect the port to become a member of the GUEST VLAN but you did not configure one.

The default GUEST VLAN is "none" so that you need to add this command to your port configuration:

authentication event no-response action authorize vlan {vlan-id}

When you look at the fallback options, the Restricted VLAN is only used for 802.1X-compliant clients while the Guest Vlan is used for not 802.1x-capable clients. Hence both need to be configured to achieve the expected result.

HTH!

View solution in original post

3 Replies 3

Go to solution
Jens Albrecht
Level 4
Level 4

‎05-17-2025 02:12 AM

Hello @JUANNN,

you expect the port to become a member of the GUEST VLAN but you did not configure one.

The default GUEST VLAN is "none" so that you need to add this command to your port configuration:

authentication event no-response action authorize vlan {vlan-id}

When you look at the fallback options, the Restricted VLAN is only used for 802.1X-compliant clients while the Guest Vlan is used for not 802.1x-capable clients. Hence both need to be configured to achieve the expected result.

HTH!

Go to solution
JUANNN
Spotlight
Spotlight
In response to Jens Albrecht

‎05-17-2025 02:44 AM - edited ‎05-17-2025 02:50 AM

Hello Jens,

Thanks for your interest and help. You are completely right, I just added the command and now everything works fine. I will like to point however that there is a very interesting thing that happens then:

- If MAB is not configured, then if I apply this command the GUEST VLAN is operative when 802.1X is "declared" no-responsive.

But if MAB is configured, then the switch, very intellegently, when 802.1X is "declared" no-responsive, does MAB first and if MAB fails then is when it uses this command to apply the GUEST VLAN. I was confused because before I thought that the command will place the port on the GUEST VLAN before attempting MAB.

Also, MAB failures do not count as retries, so as soon as MAB fails then the port is placed on the GUEST VLAN. I was thinking wrong on my post.

Thanks!

0 Helpful

Go to solution
Jens Albrecht
Level 4
Level 4
In response to JUANNN

‎05-17-2025 06:24 AM

Hello Juan,

the behavior you describe is exactly how port-based authentication is supposed to work. The key point is to understand that MAB is not part of the 802.1X authentication itself but a fallback method after 802.1X has failed. So the Guest Vlan is used for non-reponsive clients as well as MAB-failures as the client is considered to be not 802.1X-compliant in both cases and hence the retry counters also have no effect on MAB.

Regards, Jens

Customers Also Viewed These Support Documents