Dot1x: no failling above comments - vlan
Hello
I am deploying dot1x in the office and I will have little difficulty with allowing to achieve the two dot1x with mab and then switch on the vlan comments.
A simple scenario where a device of the end-user cannot provide authentication, I want the switch to automatically put the user on the vlan comments. I did not allow for periodicals of authentication at the lowest of excessive authentication and I configured maximum attemps but the switch will constantly try to authenticate the device.
Switch model: WS-C2960-24LT-L with 15.0 (2) SE6.
The switch configuration:
aaa accounting dot1x default start-stop group radius aaa authentication dot1x default group radius dot1x system-auth-control
Port configuration:
interface FastEthernet0/15 switchport access vlan 144 switchport mode access authentication event fail action next-method authentication event server dead action authorize vlan 550 authentication event no-response action authorize vlan 550 authentication host-mode single-host authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab dot1x pae authenticator dot1x max-req 3 dot1x max-reauth-req 1 spanning-tree portfast !
Any help will be greatly appreciated.
UPDATE: see the comments below.
Good job on your own Oliver problem and for taking the time to update everyone here! (+ 5 from me). If your problem is resolved you must mark the thread as answered ;)
Tags: Cisco Security
Similar Questions
-
Dot1x comments Vlan / Auth Fail Vlan editions
Hi all
Configure dot1x on our access layer switch ports and I have a few problems with devices that fail authentication. This is the current configuration on the way to the switch:
switchport mode access
switchport voice vlan 38
dot1x mac-auth-bypass
dot1x EAP authenticator
self control-port dot1x
multi-domain host-mode dot1x
dot1x timeout server-timeout 10
Server of reauth-dot1x timeout period
dot1x tx-time 10
dot1x timeout supp-timeout 3
dot1x max - req 3
dot1x max-reauth-req 3
dot1x re-authentication
criticism of dot1x
critical recovery dot1x action reset
dot1x auth failure vlan 7
dot1x comments - vlan 7
dot1x critical vlan 36
spanning tree portfast
spanning tree enable bpduguard
When a non-employee connects they go through the authentication process and eventually fail dot1x and mab and placed in the vlan designated guest 7. If you're doing a "show int gx / x status" on this port, switch-it shows the connected and to this vlan 7. If you're doing a "show dot1x int gx / x details" it also shows the port as authorized (by Guest-Vlan) and politics of vlan is 7. The problem is the user never gets a valid ip address - they receive only a 169.x.x.x. Anyone has experience with this type of question or have any recommendations?
Thank you
Brian
-First of all Eteinte, your switch orders tell me you are using old software on your switch, you must pass it first of all, there was a lot of correction of a bug and improvements to dot1x/mab in recent versions
-Your problem is probably that the client dhcp of your comments is delay until you are finished with dot1x and mab, susally tx-period to a lower number of adjustment could help the time it takes before joining the vlan comments, but could also have an impact on your computers running dot1x, you should try some different values. Also, using Windows XP SP3 or Windows 7, also helps on your machines to dot1x, and finally using supplicant AnyConnect NAM he will operate properly without having any problems when setting the timers dot1x on your switch.
-With the new software I go with default timers, perhaps change tx-5 second period and then use the "order mab dot1x authentication" and "authentication priority mab dot1x", also having your vlan comments like your vlan by default, will be generally also solve the problem of the guests have to do a new once-popular dhcp reqeust, however you can run into problems with stuff you wan't to use mab on.
-
Hello
I would like to set up a guest - vlan and vlan restricted on a switch 2960, but I can't.
The version of IOS (hollow obtained: see version) is:
SW Version SW Image model switch ports
------ ----- ----- ---------- ----------
* 1 52 WS-C2960S-48 I/S-L 12.2 (53) SE2 C2960S-UNIVERSALK9-MI am configuring the interface using the following commands:
RAK-ASW01 #configurer
Configuration of terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
RAK-ASW01 (config) #interface gigabitEthernet 0/1/11
Access to RAK-ASW01(config-if) #switchport mode
Self control-port RAK-ASW01(config-if) #dot1x
RAK-ASW01(config-if) #dot1x comments - vlan 17
RAK-ASW01(config-if) #endthe result is the following, as if the comments - vlan only is not supported:
RAK-ASW01 #show dot1x interface gigabitEthernet 0/1/11
Dot1x Info GigabitEthernet1/0/11
-----------------------------------
EAP AUTHENTICATOR =
PortControl = AUTO
ControlDirection = both
HostMode = SINGLE_HOST
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30RAK-ASW01 #.
similar result is trying to set up a local network virtual auth failure.
the full configuration file is attached.
Many thanks in advance,
Wawan972_
Hello
You see it here. It is expected if you use this command.
How to see he uses 'show interface running x/x' and see if configuration commands are there, or if there is already a device on the port if you use the command 'show the interface of the x/x authentication session' and see if the vlan comments is used or not.
HTH,
Tiago--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
some computers are not authenticated successfully with ISE and join comments vlan
Hello
We have deployed ISE in a company and set the workstations for authentication of the computer. When jobs are authentication, they are placed in the VLAN Data (5), if they fail, then they must be placed in the VLAN (50). WiredAutoConfig service as supplicant is set with gpo to all the workstations have the same settings.
Certificate of the ISE is signed by our internal CA and workstations have also imported CA in their trusted CA list.
The problem is that few jobs are placed in the VLAN. Previously on these workstations, we got a pop-up as below. When you click on 'connect' work stations have been placed properly in the data VLAN (5). We do not get this security alert more on these machines and they just join them VLAN that is don't want we want.
However, most of the workstations is authenticated successfully.
switchports configuration:
switchport access vlan 5
switchport mode access
switchport voice vlan 6
authentication event fail following action method
action of death event authentication server allow vlan 5
action of death event authentication server allow voice
no response from the authentication event action allow vlan 50
living action of the server reset the authentication event
multi-domain of host-mode authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
MLS qos trust dscp
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguardJournal of ISE authentication;
Everyone is in a similar situation?
I guess that the machines in the domain have the root CA certificate checked under the 'Protected EAP Properties' window?
-
rejected mac addresses are not placed in vlan comments
Hi all
I'm kind of new to the switches and learned a lot by reading the documentation sites. My job is to activate authentication aaa on our Cisco switches, we have a 3750stack, a few 3560 s and some 3550 s. I test on one of the 3560, a WS-C3560G-48PS 12.2 (53) SE1-IP-BASE running. Next week I'll update of firmware for 12.2 (55), but with this version, everything should already work.
Basically, the only thing I asked to do at the moment is Mac-Auth Bypass configuration. If the Mac address is accepted, RADIUS returns the VLAN, the device should be placed in, for the most part VLAN 4.
If the radius (freeradius v 2.1.10) server sends a rejection (see below), the port is not set to the vlan comments, because I expected.
19 12/21/10
4:23:19.000 PMDec 21 16:23:19 10.1.1.207 37473: 2204830: .Dec 21 16:20:31.950 CET: %AUTHMGR-5-FAIL: Authorization failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B
- Host=10.1.1.207
- SourceType=syslog
- source=udp:514
- client_mac=((f0de.f119.9870))
- client_action=FAIL
- LINEPROTO_LINK=AUTHMGR-5
20 12/21/10
4:23:19.000 PMDec 21 16:23:19 10.1.1.207 37472: 2204808: .Dec 21 16:20:31.950 CET: %MAB-5-FAIL: Authentication failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B
- Host=10.1.1.207 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- SourceType=syslog
- source=udp:514
- client_mac=((f0de.f119.9870))
- client_action=NOT http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- LINEPROTO_LINK=MAB-5
21 12/21/10
4:23:18.000 PMDec 21 16:23:18 10.1.1.207 37471: 2204776: .Dec 21 16:20:30.935 CET: %AUTHMGR-5-START: Starting 'mab' for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B
- Host=10.1.1.207
- SourceType=syslog
- source=udp:514 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- client_mac=(f0de.f119.9870) http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- client_action=START
- LINEPROTO_LINK=AUTHMGR-5
Can someone tell me where I'm wrong?
Thank you
Chris
Relevant parts of the running-config:
AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!
AAA - the id of the joint session!
control-dot1x system-auth
!
interface GigabitEthernet0/29
235 a description
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
authentication event failure action allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface Vlan1
IP 10.1.1.207 255.255.255.0
!
interface Vlan2
IP 10.1.10.207 255.255.255.0
!
default IP gateway - 10.1.1.201
IP classless
!
activate the IP sla response alerts
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS timeout 10 Server
Server RADIUS # 7 button wouldn't you know
RADIUS vsa server send accounting
RADIUS vsa server send authentication
!
endInformation of VLAN:
Ports of status for the name of VLAN
---- -------------------------------- --------- ------------------------------
1 default active Gi0/6, Gi0/8, Gi0/14, Gi0/15
Gi0/18, Gi0/21, Gi0/29, Gi0/30
Gi0/34, Gi0/36, Gi0/37, Gi0/49
Gi0/50, Gi0/51
2 voice active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34, Gi0/35, Gi0/36
Gi0/37, Gi0/38, Gi0/39, Gi0/40
Gi0/42, Gi0/43, Gi0/44, Gi0/45
Gi0/46, Gi0/47, Gi0/49
3 active video
4 active DHCP Gi0/1 and Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/7, Gi0/9, Gi0/10
Gi0/11, Gi0/12, Gi0/13, Gi0/16
Gi0/17, Gi0/19, Gi0/20, Gi0/22
Gi0/23, Gi0/24, Gi0/25, Gi0/26
Gi0/27, Gi0/28, Gi0/31, Gi0/32
Gi0/33, Gi0/35, Gi0/38, Gi0/39
Gi0/40, Gi0/41, Gi0/42, Gi0/43
Gi0/44, Gi0/45, Gi0/46, Gi0/48
5 active transfer
6 active Test ESX
7 COMMENTS-VLAN active
999 native active
1002 fddi-default law/unsup
default trcrf 1003 act/unsup
1004 default fddinet law/unsup
1005 trbrf default law/unsupNetwork type VLAN SAID MTU Parent RingNo BridgeNo Men BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 100001 1500 enet - 0 0
2 enet 100002 1500 - 0 0
3 100003 1500 enet - 0 0
4 100004 1500 enet - 0 0
5 enet 100005 1500 - 0 0
6 100006 1500 enet - 0 0
7 100007 1500 enet - 0 0
999 100999 1500 enet - 0 0
1002 101002 1500 fddi - 0 0
1003 trcrf 101003 4472 1005 3276 - srb 0 0
1004 etnbdf 101004 1500 - ieee - 0 0
1005 trbrf 101005 4472 - 15 ibm - 0 0VLAN AREHops STEHops backup RTC
---- ------- ------- ----------
1003 7 7 offVLAN SPAN remote
------------------------------------------------------------------------------Ports of secondary primary Type
------- --------- ----------------- ------------------------------------------Hello
Just to the user the correct names, what you want is a vlan auth failure (that you configured correctly). VLAN comments is for PCs that do not have capacity dot1x (do not respond to dot1x packages) but for the avoidance of the mac, the event of "no-response" will never happen.
Now that we have explained, your config seems therefore quite ok actually. I'd go with debugs to check what the problem is.
Debug RADIUS
debug all EMP
debugging authentication feature mab all
debugging authentication feature mda allNicolas
===
Remember responses of the rate that you find useful
-
VLAN voice N3048P and DHCP issues
Hello
I just received several switches for our N3048P and 2 x 4048 access layer - WE for our base layer. Are the N3048P VLT'd between two of 4048. There are 4 x N3048P of one on the other. The 4048 possess all gateways via VRRP.
I have 802. 1 x works with my Windows client test, and I can get the phone (Cisco 7941) to acquire a DHCP address if I put it on a port "switchport mode access. However, if I change the port to a general port with vlan enabled voice and 802. 1 x, the phone does not have a DHCP address, but the PC attached to the phone Gets a DHCP address in the VLAN correct.
I see CDP and LLDP messages exchanged via Wireshark, and it seems that the phone and the switch are to exchange the VLAN voice correctly.
My question is, why the phone can't one address DHCP?
Here's the relevant config of switch below. I know that some of the config can be duplicated for troubleshooting steps:
VLAN 75
the name 'Test '.
output
VLAN 76
name "Test_Phones".
outputIP helper-address 1.1.1.3 dhcp
IP helper-address 1.1.1.4 dhcpinterface vlan 75
IP 172.16.75.4 255.255.255.0
IP helper 1.1.1.3
IP helper 1.1.1.4
output
interface vlan 76
IP 172.16.76.4 255.255.255.0
IP helper 1.1.1.3
IP helper 1.1.1.4AAA authentication local connection to "defaultList".
radius of start-stop AAA accounting dot1x default
control-dot1x system-auth
radius AAA dot1x default authentication service
AAA authorization network default RADIUSVLAN, VoIP
source-ip 172.16.75.4 RADIUS server
Server RADIUS 'key' key
RADIUS-server host 1.1.1.1 auth
primary
name "rad1.
use of 802. 1 x
key 'key '.
output
RADIUS-server host 1.1.1.2 auth
name "rad2.
use of 802. 1 x
key 'key '.
output
Server RADIUS acct 1.1.1.1 host
name "rad1.
output
host server RADIUS acct 1.1.1.2
name "rad2.
outputGi2/0/1 interface
Description '802. 1 x client port.
spanning tree portfast
spanning tree guard root
switchport mode general
switchport general allowed vlan add 75-76 the tag
dot1x re-authentication
dot1x quiet-period 5
dot1x tx-period 5
dot1x comments - vlan 20
dot1x Informati-vlan 20
LLDP transmit tlv ESCR-sys sys - cap
LLDP transmit-mgmt
notification of LLDP
LLDP-med confignotification
VLAN voice 76
disable voice vlan auth
outputThanks for any input you may have. I would like to know if there is any other information, I can provide.
-Jason
That ends up being the correct port configuration:
Gi2/0/1 interface
Description '802. 1 x client port.
spanning tree portfast
switchport mode general
switchport General pvid 75
VLAN allowed switchport General add 75
switchport general allowed vlan add 76 tag
dot1x port-control on mac
dot1x re-authentication
dot1x quiet-period 5
dot1x timeout supp-timeout 15
dot1x tx-period 5
dot1x comments-vlan-deadline 15
dot1x comments - vlan 20
dot1x Informati-vlan 20
VLAN voice 76
disable voice vlan auth
The most important line here is «the dot1x port-control on mac» I got 'auto control by port dot1x' configured, but it does not work as expected. In addition, defining the comments-vlan-period and supp-timeout were necessary. If the port was shot, the switch would not necessarily reauth port.
-
Deployment of ISE in network routing and Vlan
Hello world
New bee to ISE. I want to help/suggestions on how to deploy ise in my network or comment if my plan is working
Machines to ISE, Servers (ALL) and Corporate (Dot1x and field) in vlan 10
Comments should be in the vlan separate 20
By default that all switch ports must be in the vlan 30 having nothing but only to DHCP.
Each endpoint must come through vlan30 and then pushed to vlan respective IE 10 if corp (Dot1x) PC and comments vlan 20 if mab and do not appear in the endpoints.
What is a successful deployment?
Secondly the fact inter - vlan routing is required in this scenario for the endpoints to be controlled properly.
ISE are able to communicate and of endpoints that are not in the VLAN of the police.
Hello
Deployment of the ISE requires a lot of consideration in many aspects. Suggest you read the cisco documentation carefully to become familiar.
http://www.Cisco.com/c/dam/en/us/TD/docs/solutions/enterprise/security/T...
Node ISE Cisco plays many roles; Admin, monitor & Service policy. The crux of the political service (PSN) is one who plays the role of RADIUS (RADIUS of tip to be precise) server to handle requests from the AAA.
For authentication dot1x internal hosts, you can have a PSN ISE in-house LAN (VLAN even as servers) or users. Whereas, for wireless clients, you can use a dedicated NHP or share the PSN according to safety requirements.
See you soon,.
Vidy
Please don't forget to rate this post so useful.
-
Hello
Looking to pronounce on the subject of comment Vlan.
How can I avoid traffic guess DATA VLAN, VLAN routing all traffic to VLAN comments should be sent directly to the Internet.
You are looking for a similar mounting as Hotels, Guest are provided with name of user and password with internet access time and limit the download speed.
Do I have to create a different SSID on the WLC and how guest users will acquire intellectual property, WLC DHCP or DHCP Windows.
If its Windows DHCP traffic may comment reached my VLAN database
Any help
We got WLC 4420 - hear - you a 4402-xx
Series AP 1200 (quantity 5)
I'm new to WLC, can you help me understand
- SSID how we can configure on WLC, each ssid can have different config settings.
The AP and the Code you have supports only 8-16. You do not want to configure too (it's about 4) because of all the tags that must be sent could cause problems with some devices. You can configure ssid reproduced the same thing different, it is up to you. Follow best practices on it.
- can disseminate us the specific SSID access point configured with WLC (AP #1 can be used for the DATA & SSID SSID) (AP #2 may be partners comments & SSID SSID)
You can create WLAN substitute (according to code - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml) to specify what AP will be braodcast of this SSID. This can be annoying if you have gaps for roaming, unless it's not a question.
- For the SSID is recommended to connect to a port seprate WLC
You have different options:
- You can use a controller of comments you anchor DMZ
- You can use a port on the WLC connected to your internal network and the other port of the DMZ
- You can trunk VLANS and use ACL to ban all traffic inside networks comments.
It all depends on you the existing infrastructure and if you are planning to buy more material, or use the existing.
- Instead of create users invited to WLC with time restriction, is third possible with ease of management. (Secretary of the Board can give internet access to the comments)
You can use a comment of the NAC server... If you want to spend a lot of money. You can configure an Admin of Lobby on the WLC account so that the Secretary has only read/write to add guest accounts. It would be the same if you have a Toilet with a Hall administrator account.
http://www.Cisco.com/en/us/docs/wireless/WCS/4.2/configuration/guide/wcsmanag.html#wp1078208
- How to have control over the bandwidth on WLC, restrict users to the bandwidth limit
You must use a third-party tool 3 for this as ZoneCD Alternatively, you can use the comment of the NAC server.
http://www.Cisco.com/en/us/solutions/collateral/ns340/ns394/ns348/ns787/data_sheet_c78-456124.html
Any link example configuration with an Internet connection with DATA and comments VLAN using the ACL to restrict traffic.
I put a few links above... hope this helps. Yet once, it will come down to your existing environment and how much you want to spend. It should also look at the point where he could take the facility, will be the Secretary want to do that, etc.? How I see the access as a guest... Well... they come out a separate sheath of the internet, so I don't really care about bandwidth. Its guests so that they would have to deal with than nowhere go, the same hotspost or even worse hotels :) Keep it simple and make it work... then you can add that later when you get more familiar with the configuration and troubleshooting.
-
SG300-28 - Firmware 1.2.7.76 with the MAC: how to use the VLAN? (Bugs00131469)
Hallo,
can you please explain to me this problem more in detail, please:
##################################################################
Problem: When a port Transceiver allowed tent of to re-authenticate and RADIUS
attributes no longer target attributes VLAN, re-authentication breaks down and the
port must become unauthorized. This is not the case, and the port is not.
(Bugs00131469)
Solution: Do not delete attributes of VLANS on a RADIUS server or unplug
network cable and plug it in again to force the failure.
##################################################################
I use an assignment VLAN dynamic for my known hosts of the network (authentication MAC) based only. But there are people from other companies who use their own computer and this computer does not know on my RADIUS server. These people should use the VLAN comments. In general they disconnect the LAN cable from a host that is known on my SHELF and put the LAN cable into their laptop (which is not known by the RADIUS server).
Does this mean that this port will remain in the VLAN old or the switch will change the port the the guest VLAN?
And what happens if I reconnect the computer to know about this port?
This feature is very important to me, but I need the functionality of the new firmware RADIUS accounting. So please give me some advice!
Thank you very much!
Alexander Wilke
Hello, Alexander.
When connecting to an unknown host to the switch, it should go to a VLAN authenticated or if you use the VLAN comments, it must be created statically a VLAN on the switch. With the comments-VLAN-Enable, the switch automatically assigns a port as a member not marked. When the port is allowed, the switch will have to move the port to VLAN comments when the first applicant authorizes.
Basically, this bug listed above says not to make changes to your information RADIUS server of VLAN and if you do, unplug the network and reconnect it.
-Tom
-
Dot1x question: authentication MAB will never be failure or timeout
Hello
I have a problem when the switch will try to authenticate a device with MAB and it will never, or timeout.
Here's the situation: where a device has 802 authentication. 1 x active but not a invalid parameters (or missing certificate).
The switch will start dot1x for the customer and it will not be (a). He will switch to dot1x to MAB and... silence.
I use a WS-C2960-24LT-L with IOS 15.0 (2) SE.
Config:
interface FastEthernet0/16 switchport access vlan 155 switchport mode access authentication event fail action authorize vlan 550 authentication event server dead action authorize vlan 550 authentication event no-response action authorize vlan 550 authentication port-control auto mab dot1x pae authenticator dot1x timeout quiet-period 3 dot1x timeout tx-period 1 spanning-tree portfast spanning-tree bpduguard enable end
Newspapers:
Dec 4 17:34:51.064 GMT: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up Dec 4 17:34:51.147 GMT: %AUTHMGR-5-START: Starting 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:52.070 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to up Dec 4 17:34:54.234 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:54.234 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:57.321 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:57.321 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:35:00.601 GMT: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094 Dec 4 17:35:00.601 GMT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094 Dec 4 17:35:00.601 GMT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094
SH int fa0/16 session auth
Interface: FastEthernet0/16 MAC Address: Unknown IP Address: Unknown Status: Running Domain: UNKNOWN Oper host mode: single-host Oper control dir: both Session timeout: N/A Idle timeout: N/A Common Session ID: 0A011246000001197AA21094 Acct Session ID: 0x00000380 Handle: 0x1700011A Runnable methods list: Method State dot1x Failed over mab Running
You can see above that is still running MAB but this device is not listed on the local store ID sequence or any where. If I run the command 'No mab', the switch will respond will be unavailable methods more and nothing more.
Interface MAC Address Method Domain Status Session ID Fa0/16 (unknown) N/A UNKNOWN No Methods 0A011246000001197AA21094
However, when I remove the command MAB; reset the port; He eventually fail to dot1x and move to restricted VLAN.
It is this value by default design or the drop between the switch and the ACS authentication? Should I just use MAB where it is needed?
Thank you in advance.
On your configuration of the interface, I normally expect to see flex active thus auth:
authentication priority dot1x mab authentication order dot1x mab authentication event fail action next-method
-
Implementing 802. 1 x in a by-switch-VLAN topology
We have several switches 6509E access that currently have a single user VLANS by switch (for example access-switch1 users are to vlan 101, access-switch2 users on vlan 102 etc.).
We want to implement 802. 1 x, so that users find themselves either on one vlan allowed or a vlan comments based on a successful authentication. However, we would like to keep the VLAN by switch topology so that users on switch1 go on vlan if authenticated 101 or comments vlan 201 If untrusted users on switch 2 would go on vlan 102 if authenticated or 202 if not authenticated etc..
We are able to get this to work with a single vlan trust and only comments vlan, but they will have to extend over the entire network. Any body know if it is possible to allocate VLAN in 802. 1 x, according to what switch they authenticate to so that they are placed in the vlan OK for the switch?
Thanks in advance.
Hi Paul,.
Dot1x RFC 3580 specifies that the tunnel Tunnel-private-Group-ID attribute is a string and is not specifically a number so that the solution to your problem can be done by entering the name of VLAN in the RADIUS server and configuring your access switches with the VLAN individual that you want to use on each VLAN one, but those who have the same function in all switches must have the same name that you entered in the server RADIUS exactly for example
Switch1 - TECH 100 of VLAN, VLAN 150 COMMENTS
SWITCH2 - VLAN 200 TECH, VLAN 250 COMMENTS
Entries of RADIUS
TECH
COMMENTS
So if a user with mac1 connects to switch1 or switch2 and is authenticated successfully the RADIUS server responds with the Tunnel-private-Group-ID = TECH instead of 100 or 200, regardless of the local number of VLAN on the switch if name is the name of the configuration of the switch, the switch will place it in the numbered right VLAN based on the name , hopefully eliminating the confusion of having to figure out how to the same user in a VLAN different numbered based on the access switch they connect at the time.
Hope this helps
Howard
Howard Hooper CCIE 23470
CCDA CCNP CCNA
MCP CWSE
-
I did a 'debug dot1x package' on a XP supplicant. I had 2 but I have the observed value max-reauth-req EAP 3 code = 1 (request) frames, why is this not 2?
My apologies for the previous ambiguity. The value of "max-reauth-req" is how many times it tries to authenticate the session after that that he's already tried at least once. If the default value of 2, sound 3 images EAPOL-identity-demand to get out on the wire before entering the DISCONNECTED state, or the comments - VLAN (depending on configuration).
Hope this helps,
-
ACS + Wired dot1x machine authentication
Hello
I'm trying to configure computer authentication wired in function. I followed this guide
However I simply get the same error all the time on ACS.
Authenticator of invalid message in the request of the EAP
Switch configuration;
interface GigabitEthernet0/46
switchport access vlan 20
switchport mode access
media type rj45
dot1x EAP authenticator
self control-port dot1x
dot1x re-authentication
dot1x comments - vlan 20
I am trying to corresponding installation group to make the assignment of vlan however, I walked just under the strategy of the unknown user at the min with no configuration of vlan assignment.
No matter which shed some light on this, all I want to do is authenticate a machine by issuing certificates an id vlan based on the computer name and AD Group. No authentication of the user, this can be done via the PDC.
Purely using machine auth.
See you soon
Scott
Scott,
I recommend you to change/retype the secret shared on the ACS server and the switch for the
AAA Client and AAA server.
Kind regards
~ JG
Note the useful messages
-
N2048 level 3 - routing only some VLAN?
Imagine this scenario - simplified our desired mounting
VLAN 1 - Server vlan 192.168.1.0/24
VLAN 2 - customer VLANs 192.168.2.0/24
VLAN 50 - guest wifi vlan 192.168.50.0/24
We want to move freely between VLANS and VLAN 1 2 but prevents all movement of traffic at VLAN50
I have read and understand this guide routing VLAN from Dell , but this covers only the scenario when you are happy for everything to flow between all the VLANS.
I have a few questions that it would be great to have some help with
(1) global routing - we believe that if we
IP routing
This will bring all the VLAN is not what we want - correct?
(2) However, if there is no IP address defined on the interface VLAN 50, it won't drive, correct? So as not long that no VLAN we want to isolate has an IP address assigned to that VLAN, no routing?
Thus, we could then issue a command "ip Routing", and we would get what we want, provided never configure us an IP address on the interface VLAN 50. What we'll call "Solution A" - how?
(3) static routing - if we emit static routes to specific subnets this will allow all the VLANS whose defined on the interface IP address to route their
for example if I do
IP route 192.168.1.0 255.255.255.0 192.168.1.1
then VLAN 2 VLAN 1, but can can 50 VLAN
Is this fair?
(4) However, if, I ever create a route to VLAN 50, then although traffic could channel VLAN 50 to VLAN 1, answers could never return once again - right?
We will call this B - walk-it solution?
(5) if we wanted to make static routes that only apply in some VLAN it looks as if DNOS has a setting of vlan for the command from road ip - but I can find no explanation of exactly what it means or how it works?
We will call this solution C - would this work?
(6) Finally, assuming that all of these solutions work, which is the best solution?
Thank you.
The # ip routing command, performs the overall active routing. For routing to occur the VLAN must have an IP address. You are right, if the VLAN is L2 only and does not have an IP assigned to it, deals with this VLAN will not able to reach the other VLANs.
Static routes will be used to direct traffic to the next network hop. This is usually used to indicate traffic in your firewall. Static routes would not be to direct traffic to a VIRTUAL LAN to another VIRTUAL LAN on the same switch.
What camera do you use as your firewall? It is not uncommon to set up a similar scenario to your solution A. leave the road to switch between server and client VLAN. Then leave comments VLAN in L2 and the trunk of the VLAN to the firewall. Then let the firewall manage access to resources on the network and internet guests.
Another option would be to enable routing between all the VLANS, but then apply an ACL to restrict access on the guest VLAN. Page 629 of the user's guide begins detailing ACL, how they work and how they are configured.
-
SF300 Questions of the of the VLAN IP address
I bought 3 SF300-48 switches to work AP1131AG Aironet wireless with my APs. I have now spent 1 VLAN for all to have a Guest_Wireless VLAN 200 as well as the default VLAN 1 for my Corporate_Network. The question that I have is that any client on my default VLAN receives an IP address from the DHCP Windows Server without problems, but when you connect to the guest VLAN you can't obtain an IP address.
So, I also have a Cisco 3560 G Router (default gateway) which has the same Aironet AP1131AG AP connected to it with the same config as additional points of access files and it works perfectly. I can connect to each SSID wireless (Corp. Vlan1 or comments Vlan 200) and get the IP address of the DHCP server.
I also have the network below plan and was seeking help in the SF300 configuration to allow the IP to get on the subnet, Vlan 200. I also tried to connect my laptop directly in the SF300 and configure the port to access the Vlan 200 and I still can't an IP address.
Any help would be appreciated...
Aaron
Hi aaron, on the 3560, the port mode is defined as the encapsulation dot1q and one vlan specified native? Also, for the SF300 vlan natif native is 1, you tag vlan 200 to the trunk?
The Catalyst switch works differently than the SX300 switch in this sense.
Note also, will not attend the VTP SX300 or PAO.
-Tom
Please evaluate the useful messages
Maybe you are looking for
-
My police home page is small, how to expand it?
My home page has small fonts. The rest of the pages are OK. For some reason, only the homepage is affected.
-
App Store: Your device or computer cannot be verified. Contact technical support for assistance.
I am running the latest version of El Capitan, and I tried to restart the computer and the applications of countless times. I have nowhere to go in this situation! I tried to use different WiFi. I tried to delete the plist of network document and I f
-
My computer laptop cursor freezes sometimes when they surf the internet from 1 website to others while in the middle of data transfer. All functions stop. Everything tried but failed. Have to power off of closing down, cos nothing move. When turn on,
-
upgraded p4 to i7 what process which parts are changed
upgraded p4 to i7, what is the process which parts are p4 to i7 changedupgrade, what is the process which parts are changed.plz tell me
-
I must also click DELETE to restart the computer to retrieve the screen and the screen will show also 8-10 writing failure before going to the browser