802.1x Dynamic VLAN Switching Question

adam.schwartzberg · ‎07-14-2010

Trying to set up 802.1x dynamic VLAN switching, and have a question. I think I've gotten it working except for one part. The VLAN on a protected interface is never getting switched. I can see an entry in the ACS stating that it applied the appropriate VLAN via RADIUS response, but it never changes on the switch.

Environment:

ACS Express 5.0.1

C3550 running c3550-ipbasek9-mz.122-44.SE6.bin

Switch config:

aaa new-model

aaa group server radius dot1x

server-private 10.10.1.4 auth-port 1645 acct-port 1646 key 7 071C244F5C0C0D544541

aaa authentication dot1x default group dot1x

dot1x system-auth-control

dot1x guest-vlan supplicant

interface FastEthernet0/3

switchport access vlan 3

switchport mode access

speed 100

duplex full

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

dot1x timeout tx-period 5

dot1x timeout supp-timeout 5

spanning-tree portfast

ip radius source-interface FastEthernet0/1 vrf default!

radius-server host 10.10.1.4 auth-port 1645 acct-port 1646 key 7 01000307490E125E731F

Am I missing something easy?

Javier Henderson · ‎07-15-2010

The output of "debug radius" should help, can you capture it and post it?

adam.schwartzberg · ‎07-15-2010

It looks like "aaa authorization network default group dot1x" was the missing command I needed to get this working.

The only issue I'm having now is that if the client fails to meet the authentication requirements, the line status gets set as "down"