02-24-2015 10:21 AM
I am doing testing for implementing VLANs and 802.1x authentication by port.
We use Avaya VOIP phones, in some cases user devices are plugged into the phone switchport.
Because of this, I would prefer to place the ports into multi-session mode for authentication. As I understand, this requires both devices to authenticate.
The Avaya VOIP phone authenticates in single-host and multi-host, but not multi-session.
What I see on the switch:
S14-DPAS-SW10#show version SW version 1.4.0.88 ( date 06-Aug-2014 time 16:55:55 ) Boot version 1.3.5.06 ( date 21-Jul-2013 time 15:12:10 ) HW version V02
---
S14-DPAS-SW10#show running-config
***JUST SHOWING GE6***
interface gigabitethernet6 dot1x host-mode single-host dot1x guest-vlan enable dot1x reauthentication dot1x authentication 802.1x mac dot1x port-control auto spanning-tree portfast switchport trunk allowed vlan add 100,300,900 voice vlan enable ! S14-DPAS-SW10#clear dot1x statistics S14-DPAS-SW10#show dot1x interface ge6 Authentication is enabled Authenticating Servers: Radius Unauthenticated VLANs: Guest VLAN: VLAN 999, timeout: immediately Authentication failure traps are disabled Authentication success traps are disabled Authentication quiet traps are disabled gi6 Host mode: single-host Authentication methods: 802.1x+mac Port Administrated Status: auto Guest VLAN: enabled VLAN Radius Attribute: disabled Open access: disabled Server timeout: 30 sec Port Operational Status: authorized Violation: Mode: protect Trap: disabled Trap Min Interval: 0 sec Violations were detected: 0 Reauthentication is enabled Reauthentication period: 3600 sec Silence period: 0 sec Quiet period: 60 sec Interfaces 802.1X-Based Parameters Tx period: 30 sec Supplicant timeout: 30 sec Max req: 2 Authentication success: 0 Authentication fails: 0
***PLUG IN DEVICE***
SINGLE-HOST MODE
S14-DPAS-SW10#show dot1x interface ge6 Authentication is enabled Authenticating Servers: Radius Unauthenticated VLANs: Guest VLAN: VLAN 999, timeout: immediately Authentication failure traps are disabled Authentication success traps are disabled Authentication quiet traps are disabled gi6 Host mode: single-host Authentication methods: 802.1x+mac Port Administrated Status: auto Guest VLAN: enabled VLAN Radius Attribute: disabled Open access: disabled Server timeout: 30 sec Port Operational Status: authorized Violation: Mode: protect Trap: disabled Trap Min Interval: 0 sec Violations were detected: 0 Reauthentication is enabled Reauthentication period: 3600 sec Silence period: 0 sec Quiet period: 60 sec Interfaces 802.1X-Based Parameters Tx period: 30 sec Supplicant timeout: 30 sec Max req: 2 Authentication success: 1 Authentication fails: 0
Change to MULTI-HOST mode
S14-DPAS-SW10#configure S14-DPAS-SW10(config)#interface ge 6 S14-DPAS-SW10(config-if)#dot1x port-control force-authorized S14-DPAS-SW10(config-if)#no dot1x radius-attributes vlan S14-DPAS-SW10(config-if)#dot1x host-mode multi-host S14-DPAS-SW10(config-if)#dot1x radius-attributes vlan static S14-DPAS-SW10(config-if)#dot1x port-control auto S14-DPAS-SW10(config-if)#end S14-DPAS-SW10#show dot1x interface ge6 Authentication is enabled Authenticating Servers: Radius Unauthenticated VLANs: Guest VLAN: VLAN 999, timeout: immediately Authentication failure traps are disabled Authentication success traps are disabled Authentication quiet traps are disabled gi6 Host mode: multi-host Authentication methods: 802.1x+mac Port Administrated Status: auto Guest VLAN: enabled VLAN Radius Attribute: enabled, static Open access: disabled Server timeout: 30 sec Port Operational Status: authorized Reauthentication is enabled Reauthentication period: 3600 sec Silence period: 0 sec Quiet period: 60 sec Interfaces 802.1X-Based Parameters Tx period: 30 sec Supplicant timeout: 30 sec Max req: 2 Authentication success: 2 Authentication fails: 0
Change to MULTI-SESSION mode
S14-DPAS-SW10#conf S14-DPAS-SW10(config)#interface ge 6 S14-DPAS-SW10(config-if)#dot1x port-control force-authorized S14-DPAS-SW10(config-if)#no dot1x radius-attributes vlan S14-DPAS-SW10(config-if)#dot1x host-mode multi-sessions S14-DPAS-SW10(config-if)#dot1x radius-attributes vlan static S14-DPAS-SW10(config-if)#dot1x port-control auto S14-DPAS-SW10(config-if)#end S14-DPAS-SW10#show dot1x interface ge6 Authentication is enabled Authenticating Servers: Radius Unauthenticated VLANs: Guest VLAN: VLAN 999, timeout: immediately Authentication failure traps are disabled Authentication success traps are disabled Authentication quiet traps are disabled gi6 Host mode: multi-sessions Authentication methods: 802.1x+mac Port Administrated Status: auto Guest VLAN: enabled VLAN Radius Attribute: enabled, static Open access: disabled Server timeout: 30 sec Maximum Hosts: unlimited Maximum Login Attempts: 0 Reauthentication is enabled Reauthentication period: 3600 sec Silence period: 0 sec Quiet period: 60 sec Interfaces 802.1X-Based Parameters Tx period: 30 sec Supplicant timeout: 30 sec Max req: 2 Authentication success: 2 Authentication fails: 1 Number of Authorized Hosts: 0
If I am doing something ridiculously wrong, I do apologize. I've searched for more information, but haven't seen a reason this won't or shouldn't work.
Thanks in advance
02-25-2015 07:30 AM
Hi Justin,
There are two aspects to consider:
1. Unlike the single-host and multi-host modes, a port in the multi-session mode does not have an authentication status. This status is assigned to each client connected to the port.
2. This mode requires a TCAM lookup. Since Layer 3 mode switches do not have a TCAM lookup allocated for multisessions mode, they support a limited form of multi-sessions mode, which does not support guest VLAN and RADIUS VLAN attributes.
So I wonder if your switch is in layer 2 or layer 3 mode.
Regards,
Aleksandra
12-23-2015 10:11 AM
I have been trying to figure out how to use 802.1x mode to authenticate and assign VLANs on an SG300.
I noticed in your post that the "single-host" mode showed "unauthorized" and the "multi-host" mode showed "authorized". I saw the same issue on the SG300.
I cannot seem to get the VLAN assigned by the RADIUS server to apply to the port.
Please help!
12-27-2015 09:19 PM
I was finally able to get the vlan assignment working. It looks like the client was not responding properly to the dot1x request. Once I resolved that between the client and server the VLAN started working.
Now I can't seem to get the guest vlan to work for users that are not 802.1x capable. It says that the port is in the guest vlan, but it cannot communicate with any other systems in that vlan.
12-27-2015 09:50 PM
I'm on a roll! I figured out how to set up a 802.1x guest VLAN on the SG300. Here's a hint: don't use the dot1x guest vlan.
To allow a client to be assigned a VLAN by the RADIUS server, yet set them to a guest VLAN in case they have 802.1x disabled (or if they are not authorized), here is the configuration that I was able to get working (using vlan 99 as the guest vlan):
interface gigabitethernet1
dot1x authentication 802.1x mac
dot1x radius-attributes vlan
authentication open
dot1x port-control auto
spanning-tree portfast
spanning-tree bpduguard enable
lldp med disable
switchport mode access
switchport access vlan 99
!
The trick here is to use the "dot1x authentication 802.1x mac", which will cause 802.1x to be attempted first, and then the MAC address second. If the client has 802.1x enabled, it will use that route. If not, it will use the MAC method, which in my case, will always fail. This is where the "authentication open" entry comes into play. It ignores rejection messages and authorizes the port anyways. However, it authorizes it for the configured vlan, which in this case is 99, which is my guest vlan.
I feel that this is what the dot1x guest vlan should be doing, but it just flat out doesn't work on the SG300. Since I've never set it up on a full blown Cisco (like a C3560), I can't say for sure if it is just broken in the SG300, or if I just don't understand what a "dot1x guest vlan" is actually supposed to be used for.
02-14-2018 02:54 PM - edited 03-01-2018 10:07 PM
You could also add "dot1x host-mode single-host" for extra protection, as multi-host is the default.
11-16-2018 12:01 PM
12-10-2018 01:31 PM
The guest vlan only works for non-802.1x compatible devices. That's the official word from support. They sent me a link to IOS documentation for catalyst switches that states this. They even confirmed with engineering.
09-06-2019 07:40 AM
I've having lots of problems trying to establish an Fail-Auth VLAN.
In yhe case of no having a client for the 802.1X this solutions goes great, but trying to test the solution with a failing username does'nt give access to the VLAN. Seems that the Switchs take care in a different way a Fail-Auth or a Non-Auth.
I've not found any help in Internet :S
Any help?
working with a SG-300 running 1.4.9.4
09-06-2019 06:15 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: