Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1270
Views
0
Helpful
5
Replies

Assign a Guest VLAN if DOT1X is not enabled on Supplicant

Deepak Kumar
VIP Alumni
VIP Alumni

‎02-19-2018 02:00 AM - edited ‎02-21-2020 10:45 AM

Hi All,

We are testing Dot1X in my office to implementation of BYOD solutions. DOT1x is working fine but I am missing something in the configuration for supplicant which is not supporting to DOT1x. I am getting below debug logs: (Please Don't mind debug date)

 

 

Aug 14 02:11:48.704: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:11:48.707: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:11:49.263: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:11:49.263: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:01.503: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:01.507: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:02.342: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:02.342: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:05.142: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:05.145: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:05.942: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:05.946: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:12.782: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:12.786: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:13.583: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:13.583: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:20.542: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:20.545: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:21.304: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:21.307: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:24.142: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:24.145: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:24.904: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:24.904: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:27.704: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:27.707: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:28.504: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:28.504: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:31.304: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:31.307: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:32.104: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:32.104: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:34.946: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:34.946: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:35.704: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:35.704: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:38.504: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:38.507: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:39.343: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:39.343: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:42.143: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:42.146: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:42.943: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:42.946: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:49.745: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:49.748: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:50.584: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:50.584: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:12:53.502: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:12:53.506: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:12:54.344: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:12:54.344: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:13:02.782: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:02.786: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:03.582: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:03.582: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:13:10.583: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:10.587: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:11.303: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:11.303: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:13:14.142: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:14.145: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:14.904: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:14.907: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:13:17.665: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:17.668: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:18.504: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:18.504: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:13:25.222: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:25.225: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:26.064: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:26.064: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:13:28.947: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:28.947: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:29.664: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:29.664: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:13:32.782: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:32.785: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:33.582: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:33.582: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:13:36.504: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:36.508: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:37.224: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:37.224: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Switch(config-if)#
Aug 14 02:13:40.185: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:40.188: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:40.905: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:40.905: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Switch(config-if)#
Aug 14 02:13:43.704: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:43.708: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:44.505: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:44.505: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:13:47.381: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:47.385: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:48.101: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:48.101: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Aug 14 02:13:54.823: dot1x-ev:[Gi1/0/2] Interface state changed to UP
Aug 14 02:13:54.826: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/2
Aug 14 02:13:55.662: dot1x-ev:[Gi1/0/2] Interface state changed to DOWN
Aug 14 02:13:55.662: dot1x-ev:[Gi1/0/2] No DOT1X subblock found for port down
Switch(config-if)#

 

Configuration working fine If my supplicant is supporting to DOT1x feature. 

 

Configuration as below:

interface GigabitEthernet1/0/2
switchport mode access
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator

authentication event no-response action authorize vlan 2

authentication event fail action authorize vlan 2
end

 

Thanks in advanced. 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Labels:
0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎02-19-2018 03:03 AM

if you use show aaa-server is your ISE server up from the switch?
Have you configured aaa author for network connections?
Have you configured aaa authen for dot1x?
Try to use authentication open and see if it works?
One useful command is debug dot1x packets which will show what is happening
when messages are exchanged
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to Mohammed al Baqari

‎02-19-2018 05:24 AM

if you use show aaa-server is your ISE server up from the switch?

Yes, Here I am working with CloudPath not on ISE.
Have you configured aaa author for network connections?

Yes, I did it.
Have you configured aaa authen for dot1x?

Yes I did it.
Try to use authentication open and see if it works?

It is working with Supplicant which can support DOT1x.
One useful command is debug dot1x packets which will show what is happening

Above output is only from this command. 
when messages are exchanged

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Rob Ingram
VIP
VIP
In response to Deepak Kumar

‎02-19-2018 05:50 AM

Is your intention to use use the commands:
"authentication event no-response action authorize vlan 2"
"authentication event fail action authorize vlan 2"
in order to place the guest users in vlan 2 if they fail dot1x?

I am not sure that is the purpose of those commands, I'm not in a position to lab it to confirm. However why don't use require these guest users to use a CWA Guest portal and once authorised place them in the correct VLAN?

HTH
0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Rob Ingram

‎02-19-2018 08:27 AM

These commands are used to place the endpoints in vlan 2 when nac isn't
responding. They have nothing to do with guest
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to Mohammed al Baqari

‎02-19-2018 08:43 PM

Yes, You are right, and my current purpose is the same. But It is not working.

I tried with simple Dot1x authentication with Radius only also. But result is the same. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents