7960 and 802.1x

Unanswered Question

I am trying to implement 802.1x on our network. We mostly have Cisco 7960 phones which don't support 802.1x. However I though you can configure a VOICE vlan and they can still work. however, the switch seems to put the phone in Guest VLAN because of authentication failure. here's my configuration on the port.

I will appreciate any help on this.



interface FastEthernet0/7

switchport access vlan 17

switchport mode access

switchport voice vlan 3030

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x timeout tx-period 10

dot1x reauthentication

dot1x guest-vlan 999

dot1x auth-fail vlan 999

dot1x auth-fail max-attempts 2

spanning-tree portfast

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jafrazie Wed, 01/07/2009 - 13:58

Yep. To be clear, taking that off now allows the phone to get into the network "for free" just b/c it can do CDP with the switch. Essentially, the phone is ignored entirely based on a CDP-exchange.

Thanks. Now i am running into another issue. When i connect the computer to the phone even though the computer has a Valid Certificate it goes into Guest VLAN. I have to issue reauthenticate cmd to allow it to get proper VLAN. I have configured the Supplicant on Computer, have dot1x guest-vlan supplicant command configured on switch and my 7960 phone is running 8.0 (9.0). But it doesn't seem to help.


jafrazie Thu, 01/08/2009 - 08:51

Make sure your supplicant is configure for EAPOL-Starts. MSFT doesn't have this enabled by default with anything XP SP2 and below. Else, the port will be in the guest-vlan just after you plug the phone in and stay there.

Yes, I do have SupplicantMode=3 configured on the Laptops. I had used the same computers for my previous testing.

For some reason i am seeing mixed results. Now when i have a computer without a valid certificate, the switch puts it in Guest VLAN. But then it takes it out and puts it in Unauthorized state (no access) after 30secs. this keeps repeating so the port keeps bouncing from Guest VLAN to Unauthorized state. I have attached the logs and also the configuration.

I am still trying to identify why this is happening.



jafrazie Thu, 01/08/2009 - 10:32

Make sure this machine work when you plug it directly into the switch. From the log, the machine sends an EAPOL-Start and then doesn't answer the switch's initial identity request. This could indicate that there is in fact no cert on the box for it to use.

Yes, the Machine I used to get this log DOES NOT have the certificate. So it should be assigned GUEST VLAN and stay in GUEST VLAN. But instead, it(switch port) keeps flapping between GUEST VLAN and Unauthorized Status. You can see that in the logs i attached. This is same even if i Connect the Laptop directly to the Switch.

The Machine WITH a valid certificate staying in GUEST is another issue and it looks intermittent at this time.

jafrazie Thu, 01/08/2009 - 11:08

Well, your supplicant is sending an EAPOL-Start to the switch. Which to the switch is an indication that the client is in fact capable of running 1X so it removes the Guest-VLAN and tries to authenticate it.

Yes, even though the client is capable of running 802.1x it doesn't have a valid certificate. So the authentication should fail and it should be assigned auth failed vlan which is 999. The switch actually assigns that vlan but then keeps flapping.

If you take a look at the log you see following messages in the log right after it assigns the GUEST VLAN which i don't understand.

23:16:04: dot1x-ev:Found the default authenticator instance on FastEthernet0/11

23:16:04: dot1x-ev:dot1x_guest_vlan_set_eapol_seen: Deactivated guest VLAN 999 on port FastEthernet0/11

23:16:04: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 0 on interface FastEthernet0/11 in DATA domain

23:16:04: dot1x-ev:vlan 999 vp is removed on interface FastEthernet0/11

23:16:04: dot1x-ev:ignored vlan 17 vp is added on interface FastEthernet0/11

23:16:04: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/11

23:16:04: dot1x-ev:Setting vlan to 0 for FastEthernet0/11 on data Vlan

jafrazie Thu, 01/08/2009 - 13:33

The client is not failing authentication. It's timing out on authentication. Failing would mean you get a reject back from RADIUS, EAPOL-Failure message to client, etc.

jafrazie Thu, 01/08/2009 - 13:48

This is what the dot1x guest-vlan supplicant should do. I think MSFT supplicant will give up sending EAPOL after 3 attempts.

Understood. I successfully tested the Computer that supports 802.1x Supplicant but has an invalid certificate.

However; i also noticed that the switch interface flaps between Guest VLAN and Unauthorized state if i use a computer which is not 802.1x Supplicant. This is case if the Computer is connected Directed to the Switch or Connected through an IP Phone. This will be a usual situation in the company for the guest users. I thought dot1x guest-vlan supplicant should have fixed this and put the port in Guest VLAN.


jafrazie Thu, 01/08/2009 - 17:40

The guest-vlan supplicant stuff is only useful if the supplicant gives up on EAPOL entirely AFTER there's been EAPOL on the port during the life of link on the port.

Here's what happens based on your config if a 1X session fails.

1) 1X will fail normally.

2) 1X will fail again immediately (b/c you have auth-fail-vlan turned on, and not sure why you set it to max-attempts 2 but OK).

3) Port enters into Auth-Fail-VLAN immediately after step 2.

4) Upon existing HELD state (probably 60-sec), supplicant will try to re-auth but the switch will ignore any subsequent EAPOL-Start frames from the supplicant since it's placed it in the Auth-Fail-VLAN at step3.

Here's what happens based on your config if a 1X session times out and has no supplicant at all.

1) EAPOL-Id-Request from switch.

2) 10-sec later, another (b/c you tweaked your tx-period).

3) 10-sec later, another.

4- 10-sec later, port goes into Guest-VLAN and stays there (as long as you don't in fact send in EAPOL to the switch).

So not counting the issue of being enabled for TLS, but in fact not having a cert if the above is NOT happening, if the above is not happening per the above, I'd recommend a TAC case for a closer look.

HTH a little,


This Discussion