Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
246
Views
0
Helpful
4
Replies

802.1X CoA VLAN move when in multi-auth mode

eku1s
Level 1
Level 1

‎07-04-2025 05:24 AM

Consider the following scenario:

  1. Switch port on Cisco 3650 configured with authentication host-mode multi-auth and switchport access vlan 101
  2. Unmanaged 'dumb' switch connected to a switchport on the Cisco switch
  3. Two devices connected to the unmanaged switch - 1 with the supplicant enabled and configured with a computer cert, 1 without a supplicant, falling back to MAB
  4. Both devices land on VLAN 101.
  5. NAC issues a CoA to the Cisco switch following initial connection for one of the hosts, instructing a VLAN move (let's call it VLAN 102)
  6. One device remains on the VLAN 101, the other is moved to VLAN 102

Is this scenario supported? I have tested it however I'm getting the following error in the CoA debug logs:

Jul 4 12:00:06.741: 07A9B834 0 00000002 error-cause(272) 4 Resource Unavailable

 Config I have for the switch port is:

interface GigabitEthernet0/7
 switchport access vlan 101
 switchport mode access
 authentication control-direction in
 authentication event fail retry 0 action next-method
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication timer restart 10
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 10
 dot1x max-reauth-req 1
end

This seems to work fine when  authentication host-mode is set to single-host, so I am guessing this is not possible. Sending an access-reject for one of the sessions seems to work fine in both modes, however, leaving one device able to communicate and one not.

Any thoughts would be appreciated!

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎07-04-2025 05:27 AM

You can not use 802.1x for interconnect SW and one of SW is unmanaged.

The 802.1x work only in SW which is directly connected to endpoint 

Or if both SW is mgmt SW

MHM

0 Helpful

eku1s
Level 1
Level 1
In response to MHM Cisco World

‎07-04-2025 05:37 AM

Sorry but unless I've misunderstood your response, I'm not sure it's correct.

I have successfully tested 802.1X with a downstream unmanaged switch and two devices connected. Each device is authenticated separately. This is ultimately what 'multi-auth' mode is designed for.

My question relates to CoA VLAN moves specifically.

0 Helpful

Jens Albrecht
Level 7
Level 7

‎07-04-2025 09:11 AM

Hello @eku1s,

according to the Security Configuration Guide for IOS-XE 16.12.x the 3560 switches do support multiple Vlans per access-port. There is, however, no explicit mentioning of CoA or MAB but more of a general description of what can be done on this platform.

Anyway, check out the Multi-auth Per User VLAN assignment section of this guide to see whether one of the outlined scenarios matches your needs. This document also mentions Cisco NEAT in case you can use some kind of basic managed switch instead.

There is also another thread in this forum with similar requirements that is worth reading.

HTH!

0 Helpful
Customers Also Viewed These Support Documents