Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1992
Views
16
Helpful
6
Replies

Cisco Catalyst 9200L - 802.1x - Unauthenticated VLAN?

zakfleming1
Level 1
Level 1

‎01-30-2021 05:34 PM

Hello,

 

I am looking to implement 802.1x for our wired ports. I have a working solution. The device connects and successfully authenticates. The VLAN is not set by the radius server but is provided by the switch port configuration (Switch access VLAN xx).

Works well so far but our PXE solution doesn't support 802.1x. I was thinking some kind of unauthenticated VLAN that clients enter when 802.1x authentication fails. This VLAN will be very restricted and only have access to the PXE server (via an ACL).

 

I have researched this but I am getting mixed message and many articles online are quite old.

 

I was wondering if anyone can advise please?

 

Thank You.

Labels:
6 Replies 6

MHM Cisco World
VIP
VIP

‎01-30-2021 05:57 PM

authentication event fail action authorize vlan vlan-id

 

 

you need above command if the 802.1x failed then automatically PXE will get VLAN you enter in command.

0 Helpful

zakfleming1
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2021 06:34 PM

Thank you. I will give that a try!

 

Do you know any show commands to view if a port passes or fails authentication please? It will be useful in troubleshooting. I haven’t actually implemented 802.1x on wired ports before. 

Thanks Again!

0 Helpful

zakfleming1
Level 1
Level 1
In response to MHM Cisco World

‎02-02-2021 10:22 PM

Hello MHM,

 

I added authentication event fail action authorize vlan 506 - It didn't seem to work. I connect a device (standalone laptop) and it doesn't get an IP address from VLAN 506. Connected a domain laptop to this port authenticates and works well.

 

I wonder if you can provide any tips please?

 

Thanks

 

The port config is:

 

 

description Client

switchport access vlan 508

switchport mode access

authentication event fail action authorize vlan 506

authentication port-control auto

dot1x pae authenticator

spanning-tree portfast

 

acampbell
VIP Alumni
VIP Alumni
In response to zakfleming1

‎05-05-2021 08:15 AM

Hi,

 

Can you try adding  this line to your interface

 

!

authentication event no-response action authorize vlan 506

!

 

 

Make sure you have created the VLAN 506 & and SVI with ip helpers to your DHCP server & scope built.

 

 

Regards, Alex. Please rate useful posts.

MHM Cisco World
VIP
VIP
In response to zakfleming1

‎05-07-2021 06:42 PM

you mention the PC failed 802.1x or you meaning PC not support 802.1x?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card