Hi

I would like to achieve that a wired client can authenticate via dot1x and received the defined vlan id from the radius server. The wifi configuration is already working. Client logs in with AD credentials and gets matched with the defined vlan.

Now I am trying to configure wired dot1x on a cisco 3650 switch.

When i connect a device to my test switchport i receive the following error message:

*May 14 18:29:18 CEST: %DOT1X-5-SUCCESS:Switch 1 R0/0: smd:  Authentication successful for client (406C.8F1F.9B49) on Interface Gi4/0/19 AuditSessionID 0AFFE7020000008D5F7C187A
*May 14 18:29:18 CEST: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd:  Authorization failed or unapplied for client (406C.8F1F.9B49) on Interface GigabitEthernet4/0/19 AuditSessionID 0AFFE7020000008D5F7C187A
*May 14 18:29:18 CEST: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd:  Authorization failed or unapplied for client (406C.8F1F.9B49) on Interface GigabitEthernet4/0/19 AuditSessionID 0AFFE7020000008D5F7C187A
*May 14 18:29:18 CEST: %DOT1X-5-RESULT_OVERRIDE:Switch 1 R0/0: smd:  Authentication result overridden for client (406C.8F1F.9B49) on Interface Gi4/0/19 AuditSessionID 0     

My switchport configuration looks like this:

interface GigabitEthernet4/0/19
 subscriber aging inactivity-timer 60 probe
 switchport mode access
 access-session host-mode single-host
 access-session port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 3
 service-policy type control subscriber POLICY_1
end

My service policy looks like this:

POLICY_1
  event session-started match-all
    10 class always do-until-failure
     10 authenticate using dot1x 

---

I mostly used this manual:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-cntrl-pol.html 

---

I'm using a Microsoft Radius Server (Windows 2008 R2). The radius server receives and grants access, but the switch doesn't grant access and the client never receives a valid ip.

Any idea whats wrong?

Thanks for your help!

Janis