Problem with Machine Authentication and 802.1x Authentication

Unanswered Question
Feb 17th, 2009


I would like to configure Dot1x authentication on each switch interface that belongs to data and voice vlan such as for eg:

Interface FastEthernet 1/1

switchport access vlan 10

switchport voice vlan 20

But it is not allowed to configure Dot1x on these interfaces, Our aim is to provide authorized access to our LAN either by Dot1x Authentication or through Machine Authentication.

Now I am having the following doubts

1.Is Dot1x configurations on switch ports is a part of Machine Authentication procedure

2.What kind of configurations is required on switch port interface to enable machine authentication

3.And how the individual switch port is controlled in case of machine authentication.

Your kind response will be appreciated and thanks in advance.

Best Regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jafrazie Wed, 02/18/2009 - 04:59

You need to configure the following on the port:

Swichport mode access


itlogical Thu, 02/19/2009 - 03:55

Thanks for the immediate response,I verified the Switchport mode access is configured but still Dot1x is not allowed to configured.

Thanks and Regards

Daniel Laden Thu, 02/19/2009 - 08:54

What is the model switch and IOS/CATOS version running. What is the current AAA and DOT1X global settings. What is the configuration for the port. What is the command that you are entering that is failing.

itlogical Sun, 02/22/2009 - 02:08


Thanks for the kind response, please be updated on the following

1. IOS Version and Model:

Cisco Internetwork Operating System Software IOS (tm) s3223_rp Software (s3223_rp-IPBASEK9-M), Version 12.2(18)SXF4, RELEASE SOFTWARE (fc1)

cisco WS-C6509-E (R7000) processor (revision 1.2) with 227328K/34816K bytes of memory.Processor board ID SMC1022009Q

2. AAA and DOT1x global configs:

aaa new-model

aaa authentication fail-message ^CCCUsername or Password is not Correct^C

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group radius

aaa authorization config-commands

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting send stop-record authentication failure

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host x.x.x.x

tacacs-server host y.y.y.y

tacacs-server key zzz

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key zzz

radius-server host y.y.y.y auth-port 1645 acct-port 1646 key zzz

radius-server source-ports 1645-1646

3. Port Configs:

sh run interface fa2/6

Building configuration...

Current configuration : 139 bytes


interface FastEthernet2/6


switchport access vlan 101

switchport mode access

switchport voice vlan 102

no ip address


4. Dot1x command output:

dot1x port-control auto

Command rejected: One or more ports configured with voice vlan.

Dot1x can't be enabled on voice vlan configured ports.

Hope this information will help you to suggest a feasible solution.

Once again Thanks

Kind Regards,


This Discussion