Hi guys,
I am trying to assign a vlan to the fa 0 - 3 interfaces via dot1x. Im already successfully using this feature on a 6500, a few 2970 and a few 2940. But the 871 seems to be a little different. Im running IOS 12.4(11)T on the 871. When a host is authentificated the switchport will not be assign to the vlan, which is specified by the radius server. the 871 just use the vlan with highest VLAN id.
When I remove the dynamic vlan assignment from the radius server, the 871 also ignores the switchport access vlan command and assigns the port to the vlan with the highest ID.
Whats wrong?
Thanks
Heres the config:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname c87101
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging userinfo
logging buffered 32000
logging rate-limit console 2 except critical
logging console warnings
!
aaa new-model
!
!
aaa group server radius RADIUS-AUTH-SERVER
server X auth-port 1812 acct-port 1813
server X auth-port 1812 acct-port 1813
ip radius source-interface Tunnel1
!
aaa authentication login VTYMETHOD line enable local
aaa authentication login CONSOLE_METHOD group RADIUS-AUTH-SERVER local
aaa authentication login VIRTUAL_METHOD group RADIUS-AUTH-SERVER local
aaa authentication login eap_methods group RADIUS-AUTH-SERVER
aaa authentication dot1x default group RADIUS-AUTH-SERVER
aaa authentication dot1x DOT1X_METHOD group RADIUS-AUTH-SERVER
aaa session-id common
clock timezone GMT 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
ip cef
!
!
ip dhcp relay information trust-all
no ip dhcp use vrf connected
!
ip dhcp pool GUEST
network 10.10.10.0 255.255.255.0
default-router 10.10.10.254
!
ip dhcp pool SITE2SITE2
network x.x.x.x 255.255.255.248
!
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip tftp source-interface FastEthernet4
no ip bootp server
no ip domain lookup
multilink bundle-name authenticated
interface Tunnel1
bandwidth 6500
ip address 139.19.107.4 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication testing
ip nhrp map multicast 139.19.100.17
ip nhrp map 139.19.107.254 139.19.100.17
ip nhrp network-id 252
ip nhrp holdtime 300
ip nhrp nhs 139.19.107.254
ip nhrp cache non-authoritative
delay 1000
keepalive 3 5
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0
switchport access vlan 2
dot1x pae authenticator
dot1x port-control auto
no cdp enable
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 2
dot1x pae authenticator
dot1x port-control auto
no cdp enable
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 2
dot1x pae authenticator
dot1x port-control auto
no cdp enable
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 2
dot1x pae authenticator
dot1x port-control auto
no cdp enable
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
no cdp enable
interface Vlan3
no ip address
bridge-group 3
bridge-group 3 spanning-disabled
!
interface Vlan2
no ip address
bridge-group 2
bridge-group 2 spanning-disabled
interface BVI2
description gateway site2site2
ip address x.x.x.x 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
interface BVI3
description Unauthoriserte Rechner nutzen dieses Netz
ip address 10.10.10.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map UNAUTHORISERT-ZU-INTERNET
