Solved: Re: wired 802.1x guest vlan test

tianwen.zhao · ‎05-07-2019

Hi everyone,

I have a 802.1x problem here.

I hoped the PC while authentication fail dynamically allocating to guest vlan

But it turned to be drop not be assigned to the dedicated guest vlan

c3560#sho mac add int fa0/13
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
21 68f7.2802.73d4 DYNAMIC Drop

!

c3560#sho authentication sessions interface fastEthernet 0/13
Interface: FastEthernet0/13
MAC Address: 68f7.2802.73d4
IP Address: Unknown
User-Name: UNRESPONSIVE
Status: Running
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A50016E00000042012CFA50
Acct Session ID: 0x00000056
Handle: 0x14000042

Runnable methods list:
Method State
dot1x Running

!

Here are the configuration of interface,It should be allocated to vlan 31

!

interface FastEthernet0/13
description dot1x
switchport access vlan 21
switchport mode access
authentication event no-response action authorize vlan 31
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
dot1x pae authenticator
spanning-tree portfast
end

!

How can I troubleshoot this ?

Thank your for any replies.

Thanks again..

jafrazie · ‎05-09-2019

multi-auth and multi-domain auth are not equal. This is not supported on the 3560:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/sw8021x.html#34343

As you can see, starting in this release, while you could do RADIUS-Assigned VLANs on a multi-auth port, additional hosts had to match, and guest/auth-fail VLANs couldn't work as the switch doesn't have a way to put 2 machines on 2 different VLANs that was -not- a trunk port.

View solution in original post

Seb Rupik · ‎05-07-2019

HI there,

Is the PC connected to this switch 802.1x capable? If it is and fails the authC process is will be denied access.

cheers,

Seb.

tianwen.zhao · ‎05-07-2019

Thank you for your reply
Yes ,I disabled the PC's IEEE 802.1x Identity authentication. Because I wanted the PC assigned to the guest vlan
If I open it , PC will assigned to data vlan

Thank you Seb.

Seb Rupik · ‎05-07-2019

Do you mean to say that you have completely disabled the 802.1x supplicant on the interface?

tianwen.zhao · ‎05-07-2019

I mean I have disabled the 802.1x on the PC not interface,because I wanted the PC authenticate fail so that the PC would be assigned to guest vlan
!
the configuration of interface as below:
!
interface FastEthernet0/13
switchport access vlan 21
switchport mode access
authentication event no-response action authorize vlan 31
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
dot1x pae authenticator
spanning-tree portfast
!

So, 802.1x is enabled on the interface.But I don't know why the PC is dropping not assigned to vlan 31
Thank you for your reply

jafrazie · ‎05-07-2019

Did you plug in the machine after you disabled 1X on it?

With the config below, the switch will try to seek a supplicant after something plugs in.

90-sec later, 1X will time out, and session should move into VLAN-31.

DHCP might have timed out by then, so consider shortening the overall timeout.

Look to shorten [tx-period]. Default is 30-sec before retransmission, and switch will retransmit twice before giving up on 1X.

tianwen.zhao · ‎05-07-2019

Thank you for your reply.
I have shorten [tx-period] ,but didn't work .It still dropping

interface FastEthernet0/13
description dot1x
switchport access vlan 21
switchport mode access
authentication event no-response action authorize vlan 31
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
dot1x pae authenticator

dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5

spanning-tree portfast
!
c3560#sho mac add int fa0/13
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
21 68f7.2802.73d4 DYNAMIC Drop

Thank you

jafrazie · ‎05-08-2019

What code rev on the 3560 is this? Try to disable multi-auth:

[no] authentication host-mode multi-auth

tianwen.zhao · ‎05-08-2019

Thank you for your reply.
When I changed host-mode from multi-auth to multi-domain or single-host .It could moved into vlan 31.
What difference between multi-auth and multi-domain ?What cause it be droped When useing multi-auth.

As my knowledge, if use multi-domain normally, It supported the same as using multi-auth

jafrazie · ‎05-09-2019

multi-auth and multi-domain auth are not equal. This is not supported on the 3560:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/sw8021x.html#34343

As you can see, starting in this release, while you could do RADIUS-Assigned VLANs on a multi-auth port, additional hosts had to match, and guest/auth-fail VLANs couldn't work as the switch doesn't have a way to put 2 machines on 2 different VLANs that was -not- a trunk port.