Solved: Switchport VLAN port changed

Forbes Jenalyn Rose · ‎10-16-2012

Hi,

My collegue complaint that he cannot connect to VLAN80 using the port connected on his desk.

I checked the switch where it is connected and below are the config:

He is using port fa0/13.

sgsinspark-10651225#sh run int fa0/13

Building configuration...

Current configuration : 294 bytes

!

interface FastEthernet0/13

switchport access vlan 80

switchport mode access

dot1x mac-auth-bypass eap

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 1

dot1x timeout tx-period 1

dot1x max-reauth-req 10

dot1x auth-fail vlan 999

spanning-tree portfast

end

show vlan br - displays that it is on vlan 80

80 VLAN0080 active Fa0/2, Fa0/3, Fa0/4, Fa0/13

Fa0/14, Fa0/24

So I am really sure that it is on vlan 80 but when I connect my laptop on this port and access the switch at the same time.

The show vlan br - displays that it is now on vlan 60

60 VLAN0060 active Fa0/13

Could someone please advise what's happening? and how do I configure int fa0/13 on VLAN 80.

Regards,

Jenna

Giuseppe Larosa · ‎10-16-2012

Hello Jenna,

the switch port is configured for 802.1X Authentication with all those dot1x commands that appear

>>dot1x mac-auth-bypass eap

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 1

dot1x timeout tx-period 1

dot1x max-reauth-req 10

dot1x auth-fail vlan 999

This means the port is not configured as a simple access port in vlan 80, but the end result is a function of the 802.1X authentication process.

More specifically the 802.1X process can even assign the port to a Vlan provided by RADIUS server regardless of manual configuration of the port.

This is why when you connect your laptop the port is placed in Vlan 60: the 802.1X client SW on your PC qualifies with a username/pwd and the RADIUS answer provides also Vlan information.

see

802.1x Authentication with VLAN Assignment

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1410028

Depending on your security policies you can remove the 802.1X authentication from the port or not, but this is not a simple access port.

Edit:

an explanation of the dot1x commands can be found in IOS Security Reference guide

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-d2.html#GUID-3987CAB0-ADC2-44ED-8AE4-CB37C332F55D

first command

dot1x mac-auth-bypass [eap]

To enable a switch to authorize clients based on the client MAC address, use the dot1x mac-auth-bypasscommand in interface configuration mode. To disable MAC authentication bypass, use the no form of this command.

eap (Optional) Configures the switch to use Extensible Authentication Protocol (EAP) for authorization.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎10-16-2012

Hello Jenna,

the switch port is configured for 802.1X Authentication with all those dot1x commands that appear

>>dot1x mac-auth-bypass eap

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 1

dot1x timeout tx-period 1

dot1x max-reauth-req 10

dot1x auth-fail vlan 999

This means the port is not configured as a simple access port in vlan 80, but the end result is a function of the 802.1X authentication process.

More specifically the 802.1X process can even assign the port to a Vlan provided by RADIUS server regardless of manual configuration of the port.

This is why when you connect your laptop the port is placed in Vlan 60: the 802.1X client SW on your PC qualifies with a username/pwd and the RADIUS answer provides also Vlan information.

see

802.1x Authentication with VLAN Assignment

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1410028

Depending on your security policies you can remove the 802.1X authentication from the port or not, but this is not a simple access port.

Edit:

an explanation of the dot1x commands can be found in IOS Security Reference guide

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-d2.html#GUID-3987CAB0-ADC2-44ED-8AE4-CB37C332F55D

first command

dot1x mac-auth-bypass [eap]

To enable a switch to authorize clients based on the client MAC address, use the dot1x mac-auth-bypasscommand in interface configuration mode. To disable MAC authentication bypass, use the no form of this command.

eap (Optional) Configures the switch to use Extensible Authentication Protocol (EAP) for authorization.

Hope to help

Giuseppe

Forbes Jenalyn Rose · ‎10-16-2012

Thanks Guiseppe!

It is working now!