Solved: Re: dot1x interface config interpretation

davinci · ‎03-08-2019

interface GigabitEthernetX/X
description xxxx
switchport
switchport access vlan 22
switchport mode access
switchport voice vlan 26
authentication event server dead action authorize vlan 22
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 27
authentication host-mode multi-domain
authentication port-control auto
authentication violation replace
mls qos trust dscp
dot1x pae authenticator
no cdp enable

can someone please tell me the meaning of the bold commands? I need to understand the policy implications.

Rob Ingram · ‎03-08-2019

Hi,

authentication event server dead action authorize vlan 22 = authorize session into data vlan 22 when the radius server(s) are all marked dead
authentication event server dead action authorize voice = authorize voice when the radius server(s) are all marked dead
authentication event no-response action authorize vlan 27 = authorize guest vlan (when user failed dot1x and mab)
authentication host-mode multi-domain = allows an IP Phone and a PC to authenticate on the same switch port
authentication port-control auto = authentication enabled on a port
authentication violation replace = upon violation, remove the current session and authenticates with the new host.
mls qos trust dscp = Qos related, not dot1x
dot1x pae authenticator = Enables 802.1X authentication on the port with default parameters.

HTH

View solution in original post

Rob Ingram · ‎03-08-2019

Hi,

authentication event server dead action authorize vlan 22 = authorize session into data vlan 22 when the radius server(s) are all marked dead
authentication event server dead action authorize voice = authorize voice when the radius server(s) are all marked dead
authentication event no-response action authorize vlan 27 = authorize guest vlan (when user failed dot1x and mab)
authentication host-mode multi-domain = allows an IP Phone and a PC to authenticate on the same switch port
authentication port-control auto = authentication enabled on a port
authentication violation replace = upon violation, remove the current session and authenticates with the new host.
mls qos trust dscp = Qos related, not dot1x
dot1x pae authenticator = Enables 802.1X authentication on the port with default parameters.

HTH

bern81 · ‎03-14-2019

@Rob Ingram explained it perfectly.

I just wanted to add few thing to make your config more optimal.

add also this on the switcvhport:

authentication event server alive action reinitialize (this will reauthenticate the interface who is critical VLAN where the AAA server is marked ALIVE).

In global config

radius-server dead-criteria time 5 tries 3 (declare the AAA as dead if no reply within 15 sec)
radius-server deadtime 10 (if server is DEAD after 10 minutes try to Probe with the dummy user)

in the raduis server config add a dummy user with Probe-ON otherwise if AAA server is dead then you will have a creapie authentication looping

radius server RADSERVER1
address ipv4 10.7.1.200 auth-port 1812 acct-port 1813
automate-tester username dummy ignore-acct-port probe-on
key 7XXXXXXXXYYYYY

Please rate if helpfull

davinci · ‎04-15-2019

awesome, thanks for the comments

davinci · ‎11-13-2019

I have a problem where workstations (supplicants) keep getting kicked into the guest vlan 27 seemingly inadvertently. After I shut/no shut the port then they regain access via regular data vlan 22. What could possibly be the reason? Is there a workaround or way to eliminate this issue from occuring?