Re: I'm on a roll! I figured out

J Wood · ‎02-24-2015

I am doing testing for implementing VLANs and 802.1x authentication by port.

We use Avaya VOIP phones, in some cases user devices are plugged into the phone switchport.

Because of this, I would prefer to place the ports into multi-session mode for authentication. As I understand, this requires both devices to authenticate.

The Avaya VOIP phone authenticates in single-host and multi-host, but not multi-session.

What I see on the switch:

S14-DPAS-SW10#show version
SW version    1.4.0.88 ( date  06-Aug-2014 time  16:55:55 )
Boot version    1.3.5.06 ( date  21-Jul-2013 time  15:12:10 )
HW version    V02

---

S14-DPAS-SW10#show running-config

***JUST SHOWING GE6***

interface gigabitethernet6
 dot1x host-mode single-host
 dot1x guest-vlan enable
 dot1x reauthentication
 dot1x authentication 802.1x mac
 dot1x port-control auto
 spanning-tree portfast
 switchport trunk allowed vlan add 100,300,900
 voice vlan enable
!

S14-DPAS-SW10#clear dot1x statistics
S14-DPAS-SW10#show dot1x interface ge6

Authentication is enabled
Authenticating Servers: Radius
Unauthenticated VLANs:
Guest VLAN: VLAN 999, timeout: immediately
Authentication failure traps are disabled
Authentication success traps are disabled
Authentication quiet traps are disabled

gi6
 Host mode: single-host
 Authentication methods: 802.1x+mac
 Port Administrated Status: auto
 Guest VLAN: enabled
 VLAN Radius Attribute: disabled
 Open access: disabled
 Server timeout: 30 sec
 Port Operational Status: authorized
 Violation:
  Mode: protect
  Trap: disabled
  Trap Min Interval: 0 sec
  Violations were detected: 0
 Reauthentication is enabled
 Reauthentication period: 3600 sec
 Silence period: 0 sec
 Quiet period: 60 sec
 Interfaces 802.1X-Based Parameters
  Tx period: 30 sec
  Supplicant timeout: 30 sec
  Max req: 2
 Authentication success: 0
 Authentication fails: 0

***PLUG IN DEVICE***

SINGLE-HOST MODE

S14-DPAS-SW10#show dot1x interface ge6

Authentication is enabled
Authenticating Servers: Radius
Unauthenticated VLANs:
Guest VLAN: VLAN 999, timeout: immediately
Authentication failure traps are disabled
Authentication success traps are disabled
Authentication quiet traps are disabled

gi6
 Host mode: single-host
 Authentication methods: 802.1x+mac
 Port Administrated Status: auto
 Guest VLAN: enabled
 VLAN Radius Attribute: disabled
 Open access: disabled
 Server timeout: 30 sec
 Port Operational Status: authorized
 Violation:
  Mode: protect
  Trap: disabled
  Trap Min Interval: 0 sec
  Violations were detected: 0
 Reauthentication is enabled
 Reauthentication period: 3600 sec
 Silence period: 0 sec
 Quiet period: 60 sec
 Interfaces 802.1X-Based Parameters
  Tx period: 30 sec
  Supplicant timeout: 30 sec
  Max req: 2
 Authentication success: 1
 Authentication fails: 0

Change to MULTI-HOST mode

S14-DPAS-SW10#configure
S14-DPAS-SW10(config)#interface ge 6
S14-DPAS-SW10(config-if)#dot1x port-control force-authorized
S14-DPAS-SW10(config-if)#no dot1x radius-attributes vlan
S14-DPAS-SW10(config-if)#dot1x host-mode multi-host
S14-DPAS-SW10(config-if)#dot1x radius-attributes vlan static
S14-DPAS-SW10(config-if)#dot1x port-control auto
S14-DPAS-SW10(config-if)#end

S14-DPAS-SW10#show dot1x interface ge6

Authentication is enabled
Authenticating Servers: Radius
Unauthenticated VLANs:
Guest VLAN: VLAN 999, timeout: immediately
Authentication failure traps are disabled
Authentication success traps are disabled
Authentication quiet traps are disabled

gi6
 Host mode: multi-host
 Authentication methods: 802.1x+mac
 Port Administrated Status: auto
 Guest VLAN: enabled
 VLAN Radius Attribute: enabled, static
 Open access: disabled
 Server timeout: 30 sec
 Port Operational Status: authorized
 Reauthentication is enabled
 Reauthentication period: 3600 sec
 Silence period: 0 sec
 Quiet period: 60 sec
 Interfaces 802.1X-Based Parameters
  Tx period: 30 sec
  Supplicant timeout: 30 sec
  Max req: 2
 Authentication success: 2
 Authentication fails: 0

Change to MULTI-SESSION mode

S14-DPAS-SW10#conf
S14-DPAS-SW10(config)#interface ge 6
S14-DPAS-SW10(config-if)#dot1x port-control force-authorized
S14-DPAS-SW10(config-if)#no dot1x radius-attributes vlan
S14-DPAS-SW10(config-if)#dot1x host-mode multi-sessions
S14-DPAS-SW10(config-if)#dot1x radius-attributes vlan static
S14-DPAS-SW10(config-if)#dot1x port-control auto
S14-DPAS-SW10(config-if)#end

S14-DPAS-SW10#show dot1x interface ge6

Authentication is enabled
Authenticating Servers: Radius
Unauthenticated VLANs:
Guest VLAN: VLAN 999, timeout: immediately
Authentication failure traps are disabled
Authentication success traps are disabled
Authentication quiet traps are disabled

gi6
 Host mode: multi-sessions
 Authentication methods: 802.1x+mac
 Port Administrated Status: auto
 Guest VLAN: enabled
 VLAN Radius Attribute: enabled, static
 Open access: disabled
 Server timeout: 30 sec
 Maximum Hosts: unlimited
 Maximum Login Attempts: 0
 Reauthentication is enabled
 Reauthentication period: 3600 sec
 Silence period: 0 sec
 Quiet period: 60 sec
 Interfaces 802.1X-Based Parameters
  Tx period: 30 sec
  Supplicant timeout: 30 sec
  Max req: 2
 Authentication success: 2
 Authentication fails: 1
 Number of Authorized Hosts: 0

If I am doing something ridiculously wrong, I do apologize. I've searched for more information, but haven't seen a reason this won't or shouldn't work.

Thanks in advance

Aleksandra Dargiel · ‎02-25-2015

Hi Justin,

There are two aspects to consider:

1. Unlike the single-host and multi-host modes, a port in the multi-session mode does not have an authentication status. This status is assigned to each client connected to the port.

2. This mode requires a TCAM lookup. Since Layer 3 mode switches do not have a TCAM lookup allocated for multisessions mode, they support a limited form of multi-sessions mode, which does not support guest VLAN and RADIUS VLAN attributes.

So I wonder if your switch is in layer 2 or layer 3 mode.

Regards,

Aleksandra

bcoverstone · ‎12-23-2015

I have been trying to figure out how to use 802.1x mode to authenticate and assign VLANs on an SG300.

I noticed in your post that the "single-host" mode showed "unauthorized" and the "multi-host" mode showed "authorized". I saw the same issue on the SG300.

I cannot seem to get the VLAN assigned by the RADIUS server to apply to the port.

Please help!

bcoverstone · ‎12-27-2015

I was finally able to get the vlan assignment working. It looks like the client was not responding properly to the dot1x request. Once I resolved that between the client and server the VLAN started working.

Now I can't seem to get the guest vlan to work for users that are not 802.1x capable. It says that the port is in the guest vlan, but it cannot communicate with any other systems in that vlan.

bcoverstone · ‎12-27-2015

I'm on a roll! I figured out how to set up a 802.1x guest VLAN on the SG300. Here's a hint: don't use the dot1x guest vlan.

To allow a client to be assigned a VLAN by the RADIUS server, yet set them to a guest VLAN in case they have 802.1x disabled (or if they are not authorized), here is the configuration that I was able to get working (using vlan 99 as the guest vlan):

interface gigabitethernet1
dot1x authentication 802.1x mac
dot1x radius-attributes vlan
authentication open
dot1x port-control auto
spanning-tree portfast
spanning-tree bpduguard enable
lldp med disable
switchport mode access
switchport access vlan 99
!

The trick here is to use the "dot1x authentication 802.1x mac", which will cause 802.1x to be attempted first, and then the MAC address second. If the client has 802.1x enabled, it will use that route. If not, it will use the MAC method, which in my case, will always fail. This is where the "authentication open" entry comes into play. It ignores rejection messages and authorizes the port anyways. However, it authorizes it for the configured vlan, which in this case is 99, which is my guest vlan.

I feel that this is what the dot1x guest vlan should be doing, but it just flat out doesn't work on the SG300. Since I've never set it up on a full blown Cisco (like a C3560), I can't say for sure if it is just broken in the SG300, or if I just don't understand what a "dot1x guest vlan" is actually supposed to be used for.

bcoverstone · ‎02-14-2018

You could also add "dot1x host-mode single-host" for extra protection, as multi-host is the default.

EthanB · ‎11-16-2018

Thanks, this helped me do what I thought guest vlan would do. Still broken in 1.4.9.4. I had opened a support ticket for this issue, just added this post and we'll see what happens since these things are EOS now. I doubt they'll fix it.

EthanB · ‎12-10-2018

The guest vlan only works for non-802.1x compatible devices. That's the official word from support. They sent me a link to IOS documentation for catalyst switches that states this. They even confirmed with engineering.

OriolAguayo6814 · ‎09-06-2019

I've having lots of problems trying to establish an Fail-Auth VLAN.

In yhe case of no having a client for the 802.1X this solutions goes great, but trying to test the solution with a failing username does'nt give access to the VLAN. Seems that the Switchs take care in a different way a Fail-Auth or a Non-Auth.

I've not found any help in Internet :S

Any help?

working with a SG-300 running 1.4.9.4

bcoverstone · ‎09-06-2019

I believe you have to set the vlan config for each port to the guest vlan.
Then if the 802.1x doesn't change the vlan, the device will be left on the
guest vlan.

I still have the config for this lying around somewhere, before we upgraded
to 3750 switches.

SG300-10 - 802.1x Authentication in Multi Session Mode

Cisco Business Product Family

Cisco Switching Product Family