05-07-2019 12:51 AM - edited 05-07-2019 12:56 AM
Hi everyone,
I have a 802.1x problem here.
I hoped the PC while authentication fail dynamically allocating to guest vlan
But it turned to be drop not be assigned to the dedicated guest vlan
c3560#sho mac add int fa0/13
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
21 68f7.2802.73d4 DYNAMIC Drop
!
c3560#sho authentication sessions interface fastEthernet 0/13
Interface: FastEthernet0/13
MAC Address: 68f7.2802.73d4
IP Address: Unknown
User-Name: UNRESPONSIVE
Status: Running
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A50016E00000042012CFA50
Acct Session ID: 0x00000056
Handle: 0x14000042
Runnable methods list:
Method State
dot1x Running
!
Here are the configuration of interface,It should be allocated to vlan 31
!
interface FastEthernet0/13
description dot1x
switchport access vlan 21
switchport mode access
authentication event no-response action authorize vlan 31
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
dot1x pae authenticator
spanning-tree portfast
end
!
How can I troubleshoot this ?
Thank your for any replies.
Thanks again..
Solved! Go to Solution.
05-09-2019 07:15 AM
multi-auth and multi-domain auth are not equal. This is not supported on the 3560:
As you can see, starting in this release, while you could do RADIUS-Assigned VLANs on a multi-auth port, additional hosts had to match, and guest/auth-fail VLANs couldn't work as the switch doesn't have a way to put 2 machines on 2 different VLANs that was -not- a trunk port.
05-07-2019 12:57 AM
HI there,
Is the PC connected to this switch 802.1x capable? If it is and fails the authC process is will be denied access.
cheers,
Seb.
05-07-2019 01:13 AM
05-07-2019 01:27 AM
Do you mean to say that you have completely disabled the 802.1x supplicant on the interface?
05-07-2019 01:33 AM - edited 05-07-2019 01:45 AM
I mean I have disabled the 802.1x on the PC not interface,because I wanted the PC authenticate fail so that the PC would be assigned to guest vlan
!
the configuration of interface as below:
!
interface FastEthernet0/13
switchport access vlan 21
switchport mode access
authentication event no-response action authorize vlan 31
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
dot1x pae authenticator
spanning-tree portfast
!
So, 802.1x is enabled on the interface.But I don't know why the PC is dropping not assigned to vlan 31
Thank you for your reply
05-07-2019 06:21 AM
Did you plug in the machine after you disabled 1X on it?
With the config below, the switch will try to seek a supplicant after something plugs in.
90-sec later, 1X will time out, and session should move into VLAN-31.
DHCP might have timed out by then, so consider shortening the overall timeout.
Look to shorten [tx-period]. Default is 30-sec before retransmission, and switch will retransmit twice before giving up on 1X.
05-07-2019 10:21 PM - edited 05-07-2019 10:23 PM
Thank you for your reply.
I have shorten [tx-period] ,but didn't work .It still dropping
interface FastEthernet0/13
description dot1x
switchport access vlan 21
switchport mode access
authentication event no-response action authorize vlan 31
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast
!
c3560#sho mac add int fa0/13
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
21 68f7.2802.73d4 DYNAMIC Drop
Thank you
05-08-2019 05:48 AM
What code rev on the 3560 is this? Try to disable multi-auth:
[no] authentication host-mode multi-auth
05-08-2019 08:44 PM - edited 05-08-2019 11:23 PM
Thank you for your reply.
When I changed host-mode from multi-auth to multi-domain or single-host .It could moved into vlan 31.
What difference between multi-auth and multi-domain ?What cause it be droped When useing multi-auth.
As my knowledge, if use multi-domain normally, It supported the same as using multi-auth
05-09-2019 07:15 AM
multi-auth and multi-domain auth are not equal. This is not supported on the 3560:
As you can see, starting in this release, while you could do RADIUS-Assigned VLANs on a multi-auth port, additional hosts had to match, and guest/auth-fail VLANs couldn't work as the switch doesn't have a way to put 2 machines on 2 different VLANs that was -not- a trunk port.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide