04-11-2008 04:59 AM - edited 03-05-2019 10:20 PM
Hi,
I have a problem at the moment deploying a Guest vlan in 802.1x that hopefully someone will have a suggestion for. My issue is as follows:-
I have a 3750 port configured for 802.1x authentication and with a voice vlan and guest vlan. I am not 802.1x authenticating the phone. The data vlan ( PC connected to the phone ) will only drop into the guest vlan if it sees *NO* EAPOL packets since the physical switch port has come up. This is a problem in a hot desk type environment where the connection may be used for a 802.1x user first and then later by a non 802.1x user ( guest ) - because the IP phone holds the port up the switch will no longer drop into the guest VLAN. I understand that this is a behavour change that occured round 12.2.25. Anybody come across this and found a workaround ?
04-17-2008 07:42 AM
When you configure a guest VLAN, clients that are not 802.1X-capable are put into the guest VLAN when the server does not receive a response to its EAPOL request/identity frame. Clients that are 802.1X-capable but fail authentication are not granted access to the network. The switch supports guest VLANs in single-host or multiple-hosts mode.
Any VLAN can be configured as an 802.1x guest VLAN except
internal (routed port) VLANs, RSPAN VLANs, or voice VLANs.
A PC will not authenticate using 802.1x while connected via an IP phone.
Authentication works if a PC is plugged directly into the switch. With an IP phone in the middle, it does not authenticate. When an 802.1x supplicant connects to the switch through an IP phone in the middle, there is no link-up event at the switch. So, the switch is not directly aware that a PC is connected, and it does not initiate the authentication procedure. If Guest-VLAN is also configured, the port may be placed in the Guest-VLAN first after the periodic (every 30 seconds by default) EAPOL-Identity-Request frames have gone unanswered. Also, once the Guest-VLAN is deployed, EAPOL stops on the wire and the switch can no longer initiate 802.1x. However, if any supplicant that connects to the phone sends EAPOL-Start frames unconditionally, 802.1x can work normally (in which a port is taken out of the Guest-VLAN and is authenticated).
06-19-2008 03:23 PM
Hi,
I'm running into the same problem on c3560s with 12.2.37SE1, once a port sees 802.1x packets from a PC connected to an IP phone, it would refuse to put another, non-802.1x PC connected instead to the same phone into the guest vlan until the SW interface is down/up.
Was just wondering if you found any solution to this issue?
Thanks
07-14-2008 01:16 PM
I was running into similar issue however, i was seeing the issue when going from a PC with No Cert to a PC with a proper Cert. The Switchport would stay in Guest-VLAN. Upgrading the phone to 8.0(9.0) seems to have fixed the issue. This was a bug CSCsl48111 with older software versions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide