cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

166
Views
0
Helpful
3
Replies
Beginner

802.1x VLAN assigment

Hi there!

 

I have configured 802.1x configuration with VLAN assigment. Its working very well for domain (known) devices. But I have some difficulties with unknown devices (laptops) which are not a part of our network. There is vlan99 which is created for guests with internet access only. NPS runs on win2k8 - RADIUS. The port ist configured like this:

interface GigabitEthernet2/0/16
 description z P2-23
 switchport access vlan 99
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 3
 switchport port-security aging type inactivity
 ip arp inspection limit rate 200
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication open
 authentication port-control auto
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 3
 auto qos trust
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip verify source
 ip dhcp snooping limit rate 25
end

 

so afted this configuration I was expected that port is configured into vlan 99 with no port-security (have some reasons), AUTHENTICATION open which I tought if authentication fails, that device connected to that port will have access of vlan99, authen port-controll auto (if devices is know[part of domain]) will be assined into particular vlan. The problem is that unknown device getting authenticated over and over.  pls correct me if I am wrong and try to help me, with configuration.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: 802.1x VLAN assigment

Hello,

 

off the top of my head, I think you have to configure a fallback VLAN:

 

interface GigabitEthernet2/0/16

authentication event fail action authorize vlan 99

 

3 REPLIES 3
VIP Mentor

Re: 802.1x VLAN assigment

Hello,

 

off the top of my head, I think you have to configure a fallback VLAN:

 

interface GigabitEthernet2/0/16

authentication event fail action authorize vlan 99

 

Highlighted
Beginner

Re: 802.1x VLAN assigment

Thank, your answear have some logic, but maybe I forgot to mention that device is authenticating over and over but have no access to vlan99, so than, what does command "authentication open" really do?
Anyway, I try your suggestion and let u know
Beginner

Re: 802.1x VLAN assigment

the problem was with source guard. this function is pretty tricky cuz it doesnt show in a log file.
authentication event actions takes some time until all method are executed (these times are configurable) but I still prefer to have port in acc vlan 99 with authentication open due to no time loss.

anyway, thank you!
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards