802.1x Dynamic VLAN Switching Question

Unanswered Question
Jul 14th, 2010

Trying to set up 802.1x dynamic VLAN switching, and have a question. I think I've gotten it working except for one part. The VLAN on a protected interface is never getting switched. I can see an entry in the ACS stating that it applied the appropriate VLAN via RADIUS response, but it never changes on the switch.


ACS Express 5.0.1

C3550 running c3550-ipbasek9-mz.122-44.SE6.bin

Switch config:

aaa new-model

aaa group server radius dot1x

server-private auth-port 1645 acct-port 1646 key 7 071C244F5C0C0D544541

aaa authentication dot1x default group dot1x
dot1x system-auth-control
dot1x guest-vlan supplicant
interface FastEthernet0/3
switchport access vlan 3
switchport mode access
speed 100
duplex full
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast
ip radius source-interface FastEthernet0/1 vrf default!
radius-server host auth-port 1645 acct-port 1646 key 7 01000307490E125E731F
Am I missing something easy?
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
adam.schwartzbe... Thu, 07/15/2010 - 10:49

It looks like "aaa authorization network default group dot1x" was the missing command I needed to get this working.

The only issue I'm having now is that if the client fails to meet the authentication requirements, the line status gets set as "down"


This Discussion