Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
3
Replies

802.1x VLAN assigment

Go to solution
vlad09
Level 1
Level 1

‎09-25-2018 12:30 AM - edited ‎03-08-2019 04:14 PM

Hi there!

 

I have configured 802.1x configuration with VLAN assigment. Its working very well for domain (known) devices. But I have some difficulties with unknown devices (laptops) which are not a part of our network. There is vlan99 which is created for guests with internet access only. NPS runs on win2k8 - RADIUS. The port ist configured like this:

interface GigabitEthernet2/0/16
 description z P2-23
 switchport access vlan 99
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 3
 switchport port-security aging type inactivity
 ip arp inspection limit rate 200
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication open
 authentication port-control auto
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 3
 auto qos trust
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip verify source
 ip dhcp snooping limit rate 25
end

 

so afted this configuration I was expected that port is configured into vlan 99 with no port-security (have some reasons), AUTHENTICATION open which I tought if authentication fails, that device connected to that port will have access of vlan99, authen port-controll auto (if devices is know[part of domain]) will be assined into particular vlan. The problem is that unknown device getting authenticated over and over.  pls correct me if I am wrong and try to help me, with configuration.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎09-25-2018 01:03 AM

Hello,

 

off the top of my head, I think you have to configure a fallback VLAN:

 

interface GigabitEthernet2/0/16

authentication event fail action authorize vlan 99

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Georg Pauwen
VIP
VIP

‎09-25-2018 01:03 AM

Hello,

 

off the top of my head, I think you have to configure a fallback VLAN:

 

interface GigabitEthernet2/0/16

authentication event fail action authorize vlan 99

 

0 Helpful

Go to solution
vlad09
Level 1
Level 1
In response to Georg Pauwen

‎09-25-2018 01:11 AM

Thank, your answear have some logic, but maybe I forgot to mention that device is authenticating over and over but have no access to vlan99, so than, what does command "authentication open" really do?
Anyway, I try your suggestion and let u know
0 Helpful

Go to solution
vlad09
Level 1
Level 1
In response to Georg Pauwen

‎09-25-2018 02:34 AM

the problem was with source guard. this function is pretty tricky cuz it doesnt show in a log file.
authentication event actions takes some time until all method are executed (these times are configurable) but I still prefer to have port in acc vlan 99 with authentication open due to no time loss.

anyway, thank you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card