802.1X authentication fail

Unanswered Question
Aug 10th, 2010
User Badges:

Hi,


We have configured 802.1x authentication against a Radius server. We managed to configure the dynamic assignment of VLANs depending on the user introduced. But, now, we want to configure the authentication fail parameters, since we want to introduce users on a guest VLAN after two failed authentication tries.


This is the configuration we have on the interface:


interface GigabitEthernet1/48
switchport
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout reauth-period 100

dot1x reauthentication
dot1x guest-vlan 200
dot1x auth-fail vlan 200
dot1x auth-fail max-attempts 2
spanning-tree portfast


With this configuration, when we introduce a wrong user or password, we receive a message saying that Windows could not connect the device to the network, but it is not assigned to the 200 vlan, and we do not receive to introduce our credentials for the second time. On the switch we can see the port as unauthorized:


switch#sh dot1x all summary
Interface       PAE     Client          Status         
--------------------------------------------------------
Gi1/48          AUTH    none            UNAUTHORIZED


But if we introduce the command "dot1x auth-fail max-attempts 1" it works perfectly. After a wrong authentication, the port is assigned to the 200 vlan and it appears as authorized:


switch#sh dot1x all summary
Interface       PAE     Client          Status         
--------------------------------------------------------
Gi1/48          AUTH    001e.3302.59fc  AUTHORIZED


What are we missing? Is there any timer or any value that we could have wrong configured?


THANK YOU VERY MUCH

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion