Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2332
Views
0
Helpful
16
Replies

7960 and 802.1x

ak7246
Level 1
Level 1

‎01-07-2009 01:05 PM - edited ‎03-09-2019 09:56 PM

I am trying to implement 802.1x on our network. We mostly have Cisco 7960 phones which don't support 802.1x. However I though you can configure a VOICE vlan and they can still work. however, the switch seems to put the phone in Guest VLAN because of authentication failure. here's my configuration on the port.

I will appreciate any help on this.

thanks

Anand

interface FastEthernet0/7

switchport access vlan 17

switchport mode access

switchport voice vlan 3030

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x timeout tx-period 10

dot1x reauthentication

dot1x guest-vlan 999

dot1x auth-fail vlan 999

dot1x auth-fail max-attempts 2

spanning-tree portfast

Labels:
0 Helpful
16 Replies 16

jafrazie
Cisco Employee
Cisco Employee
In response to ak7246

‎01-08-2009 05:40 PM

The guest-vlan supplicant stuff is only useful if the supplicant gives up on EAPOL entirely AFTER there's been EAPOL on the port during the life of link on the port.

Here's what happens based on your config if a 1X session fails.

1) 1X will fail normally.

2) 1X will fail again immediately (b/c you have auth-fail-vlan turned on, and not sure why you set it to max-attempts 2 but OK).

3) Port enters into Auth-Fail-VLAN immediately after step 2.

4) Upon existing HELD state (probably 60-sec), supplicant will try to re-auth but the switch will ignore any subsequent EAPOL-Start frames from the supplicant since it's placed it in the Auth-Fail-VLAN at step3.

Here's what happens based on your config if a 1X session times out and has no supplicant at all.

1) EAPOL-Id-Request from switch.

2) 10-sec later, another (b/c you tweaked your tx-period).

3) 10-sec later, another.

4- 10-sec later, port goes into Guest-VLAN and stays there (as long as you don't in fact send in EAPOL to the switch).

So not counting the issue of being enabled for TLS, but in fact not having a cert if the above is NOT happening, if the above is not happening per the above, I'd recommend a TAC case for a closer look.

HTH a little,

0 Helpful

ak7246
Level 1
Level 1
In response to jafrazie

‎01-08-2009 10:11 PM

Thanks for your help Jason. I will look into the configurations on all the devices again because I had this working before. Maybe I am missing something. If not then will check with TAC.

Appreciate your help.

Anand

0 Helpful
Customers Also Viewed These Support Documents