Re: DOT1X and guest vlan not working

gcook0001 · ‎10-29-2021

I am trying to setup the following. When a company device plugs in to the network it authenticates using dot1x. When a none company devices plugs in to the network it gets put on our guest vlan. I almost have it except the IP address of the system does not change when switching devices.

This is the configuration I am running.

BOARD-ROOMS EAP-TLS with failover for guest
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
policy-map type control subscriber BOARD_ROOMS
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 activate service-template GUEST_VLAN
30 authorize
30 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 activate service-template GUEST_VLAN
40 class always do-until-failure
10 terminate dot1x
20 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10

interface GigabitEthernet2/0/21
description Gord Desk
switchport access vlan 290
switchport mode access
authentication timer reauthenticate server
access-session port-control auto
dot1x pae authenticator
spanning-tree portfast
service-policy type control subscriber BOARD_ROOMS

interface GigabitEthernet1/0/16
description Gord Desk
switchport access vlan 290
switchport mode access
authentication timer reauthenticate server
access-session port-control auto
dot1x pae authenticator
spanning-tree portfast
service-policy type control subscriber BOARD_ROOMS

If I plug in a company laptop and run the following command I get the following and the laptop gets an IP address from vlan 290

NSD-SW-ACCESS-1#show access-session interface g2/0/21 d
Interface: GigabitEthernet2/0/21
IIF-ID: 0x1C41FCFB
MAC Address: a08c.fd2b.0326
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: host/lg-ltp-4.cgc.local
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 07001DAC0000472FCD529754
Acct Session ID: 0x00000238
Handle: 0x000008ef
Current Policy: BOARD_ROOMS

Server Policies:

Method status list:
Method State
dot1x Authc Success

If I plug in a none company laptop and run the following command I get the following and the laptop gets an IP address from vlan 290 but it shows vlan 307 in the following output

NSD-SW-ACCESS-1#show access-session interface g2/0/21 d
Interface: GigabitEthernet2/0/21
IIF-ID: 0x13761CB1
MAC Address: 5cb9.01ab.30ae
IPv6 Address: Unknown
IPv4 Address: Unknown
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 07001DAC00004730CD542C38
Acct Session ID: 0x00000239
Handle: 0xef0008f0
Current Policy: BOARD_ROOMS

Local Policies:
Service Template: GUEST_VLAN (priority 150)
Voice Vlan: Vlan: 301
Vlan Group: Vlan: 307

Server Policies:

Method status list:
Method State
dot1x Stopped

If i run ipconfig /release /renew on the laptop it then gets an IP address from vlan 307.

Any help would be appreciated.

Thanks

gcook0001 · ‎10-29-2021

Of course I figured it out right after posting. I removed spanning-tree portfast from the interface which makes sense. The only issue now is that it takes about 50 secs to get a full connection since it has to authenticate before fully connecting. If there is a method that speeds this up that would be great.

Georg Pauwen · ‎10-29-2021

Hello,

disabling spanning-tree portfast should in theory not be necessary. As far as I recall, what you describe has to do with the configuration options below. You have to set the timeout period to something lower than the DHCP timeout. The default is 30 seconds, try to set it to 10 (or even lower, test which value works):

dot1x max-reauth-req 3
dot1x timeout tx-period 10

gcook0001 · ‎11-01-2021

I am trying to understand your solution. Our dhcp server is windows 2019 and I don't see a way to adjust the DHCP settings there as indicated. The whole idea of portfast is to connect the client before all other processing takes place so it gets an IP address before it processes the authentication process.