802.1x configuration issues

Unanswered Question
Apr 22nd, 2010
User Badges:
  • Bronze, 100 points or more

I'm attempting to configure wired 802.1x for the first time, and am having some problems. This is on a 3750 stack running 12.2.53SE ipbase, with ACS 4.2SE.

Initially what I want to get working is this.

A LAN user with an XP pc gets a prompt to login, to an account on an ACS, allocated to a vlan as specified on the ACS. Any failed authentication ends up in a remidiation vlan.

For non 802.1x devices, the port falls back to MAC bypass, with failed authentication ending up in the same remidiation vlan, and authenticated users get their vlan allocated by ACS.

This is the config I used after reading through the 3750 12.2.52 config guide, and following a sample configurations I found on cisco.com.

aaa authentication dot1x default group radius

aaa authorization network default group radius

dot1x system-auth-control

int range g1/0/1-48

switchport mode access

authentication violation restrict                               ! generate syslog on violation

authentication port-control auto                          ! enables 802.1x on the port

authentication host-mode single-host                    ! default, so not shown in running config

authentication periodic

dot1x guest-vlan 10                                                   ! where 802.1x clients that fail auth end up

authentication event fail action authorize vlan 10         ! where failed mac-bypass clients end up

dot1x mac-auth-bypass                                              ! enable mac bypass

dot1x mac-auth-bypass timeout inactivity 10

I've configured ACS for the IETF settings, enabled vlan 10 on the switch, and created a user on the ACS with the MAC address of the test PC, in a group enabled as VoIP so no password required. The test PC is configured for 802.1x with MD5 Challenge, as per the examples.

The first problem is that the 802.1x phase appears to be skipped, no user authentication is requested on the PC.  If I issue the exec command `dot1x test eapol' then a prompt for authentication does appear on the test pc.

Then the process appears to fallback to MAC bypass, checking the ACS failed authentication log I see that the failure code for the MAC address user name is `Access denied to VoIP group'.

The test PC does up up in vlan 10, that does get allocated to the switch port, so that bit appears to work ok.

This is furthur complicated by changes to the commands, it seems that some of the dot1x commands have been replaced by authentication commands, what am I missing here??

When this is working I want to move onto machine authentication by EAP-TLS with certificates, but I need to get the basics working first.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
daxvancamp Wed, 05/05/2010 - 02:47
User Badges:


Aren't you missing the aaa new-model

this is my configuration

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

interface GigabitEthernet1/0/2
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 7
dot1x auth-fail vlan 7
spanning-tree portfast

radius-server host X.X.X.X auth-port 1812 acct-port 1813 key hidden
radius-server host Y.Y.Y.Y auth-port 1812 acct-port 1813 key hidden
radius-server deadtime 5
radius-server vsa send authentication

aacole Thu, 05/06/2010 - 10:39
User Badges:
  • Bronze, 100 points or more

Hi, I had missed that off the configuration paste, although I've not used the `radius-server vsa send authentication command', will have a read up on that. The .1x is working now, the problem turned out to be a communication failure between the switch and ACS.


This Discussion