dot1X guest vlan authentication issue..Real Challenge!!

Unanswered Question
Apr 13th, 2009

Hi Guys!

I would really appreciate if some one could help me find lead on this issue...

My coporate and Quarantine users dosn't get correct VLAN as soon as i enable Guest VLAN feature..all of them go to guest VLAN...

_________________________________

Scenario 1

_________________________________

interface GigabitEthernet3/0/42

switchport mode access

authentication port-control auto

dot1x pae authenticator

dot1x timeout quiet-period 5

dot1x timeout tx-period 5

spanning-tree portfast

-------------------------

Test Workstation behavior

---------------------------

802.1X (Corporate) = VLAN 1

802.1X (Quarantine)= VLAN 20

Non-802.1X (Guest) = UnAouthorized

-----------------------------

Conclusion

----------------------------

802.1x authentication is working without the guest VLAN feature

____________________________________

Scenario 2

_____________________________________

interface GigabitEthernet3/0/42

switchport mode access

authentication event no-response action authorize vlan 30

authentication port-control auto

dot1x pae authenticator

dot1x timeout quiet-period 5

dot1x timeout tx-period 5

spanning-tree portfast

--------------------------------

Test Workstation behavior

--------------------------------

802.1X (Corporate) = VLAN 30 GuestVlan

802.1X (Quarantine)= VLAN 30 GuestVlan

Non-802.1X = VLAN 30 GuestVlan

--------------------------------

Conclusion

-------------------------------

802.1X doesn't work after enabling Guest VLAN feature (no-response)

----------------------------

Some important notes...

----------------------------

1) IOS version = c3750-ipbase-mz.122-50.SE.bin the only IOS which supports 10gig modules...

so i can not test with any other IOS

2) We had older 3750 100Mpbs switches with same config (we copied the config from old switch to new Switch) and the only command which got change automatically due to IOS change is....

dot1x guest-vlan 30 (Old IOS syntax) = authentication event no-response action authorize vlan 30 (New IOS syntax)

so even if you put old command syntax it will get change to new one...

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1176660

Guys please help me.........

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
zubair-shaikh Mon, 04/13/2009 - 02:28

Just to update you here.......after running some debugs on Swicth i found that....(Scenario-2)

When we connect 8021X enabled PCs (Coporate users) and Boot them...they initially behave like Non-8021X client while booting and during that time switch puts them in guest vlan but when workstation comes to a state (login prompt)where they start communicating like 8021X client.....switch just fails to put them in appropriate VLANs.. may be due to some time out issues.........I feel like i am very close to get the solution but just wondering which timers need to change or may be i am wrong if there is something else need to be put in...........any way i just shared my things with you....

Same Workstations are working fine with old swicthes without any problem...it is windows XP SP3

jafrazie Mon, 04/13/2009 - 06:04

This should work either way, but FYI you have tweaked the following timer:

dot1x timeout tx-period 5

This means as soon as link comes up, the switch will send EAPOL-Id-Req frames on the wire to look for a supplicant. If it doesn't find on after 3 of these requests (15-sec) then if you also have the Guest-VLAN enabled, the port will be emabled blindly into the Guest-VLAN. The supplicant must certainly now send an EAPOL-Start to "get out" of the Guest-VLAN, but it should work either way, else it's a bug (or mis-config). Make sure your supplicant sends EAPOL-Starts either way.

HTH a little,

zubair-shaikh Tue, 04/14/2009 - 02:15

yeah i am tweaking dot1x timers and seeing some better result...but still need to conduct few more test..i will update my result soon here...

Please see the debugs if you can point out something...i already commented(blue) and highlighted (red) few important points in attached file "DOC1x_v2.rtf"

--------------------------------------

debug dot1x all

debug radius

---------------------------------------

Please find attached file "DOC1x_v2.rtf"

Attachment: 
zubair-shaikh Wed, 04/15/2009 - 03:51

Hi guys

Here is the workaround and permanent fix for this issue

----------------------------------

Workaround

---------------------------------

Adjust the timeout timers (tx-period) and see what works best for your environment.

Config#dot1x timeout tx-period value

-------------------------------

Permanent Fix

-------------------------------

TAC found this internally in bug CSCsx49718 and now changed it to external bug found in customer-use so it should be visible on cisco.com in the following days.

Possibly we could see this fix in IOS 12.2(52)by fall 2009

"Do rate this artical if it is useful for you"

Actions

This Discussion