I'm attempting to configure wired 802.1x for the first time, and am having some problems. This is on a 3750 stack running 12.2.53SE ipbase, with ACS 4.2SE.
Initially what I want to get working is this.
A LAN user with an XP pc gets a prompt to login, to an account on an ACS, allocated to a vlan as specified on the ACS. Any failed authentication ends up in a remidiation vlan.
For non 802.1x devices, the port falls back to MAC bypass, with failed authentication ending up in the same remidiation vlan, and authenticated users get their vlan allocated by ACS.
This is the config I used after reading through the 3750 12.2.52 config guide, and following a sample configurations I found on cisco.com.
aaa authentication dot1x default group radius aaa authorization network default group radius dot1x system-auth-control int range g1/0/1-48
aaa authentication dot1x default group radius
aaa authorization network default group radius
int range g1/0/1-48
switchport mode access
authentication violation restrict ! generate syslog on violation
authentication port-control auto ! enables 802.1x on the port
authentication host-mode single-host ! default, so not shown in running config
dot1x guest-vlan 10 ! where 802.1x clients that fail auth end up
authentication event fail action authorize vlan 10 ! where failed mac-bypass clients end up
dot1x mac-auth-bypass ! enable mac bypass
dot1x mac-auth-bypass timeout inactivity 10
I've configured ACS for the IETF settings, enabled vlan 10 on the switch, and created a user on the ACS with the MAC address of the test PC, in a group enabled as VoIP so no password required. The test PC is configured for 802.1x with MD5 Challenge, as per the examples.
The first problem is that the 802.1x phase appears to be skipped, no user authentication is requested on the PC. If I issue the exec command `dot1x test eapol' then a prompt for authentication does appear on the test pc.
Then the process appears to fallback to MAC bypass, checking the ACS failed authentication log I see that the failure code for the MAC address user name is `Access denied to VoIP group'.
The test PC does up up in vlan 10, that does get allocated to the switch port, so that bit appears to work ok.
This is furthur complicated by changes to the commands, it seems that some of the dot1x commands have been replaced by authentication commands, what am I missing here??
When this is working I want to move onto machine authentication by EAP-TLS with certificates, but I need to get the basics working first.