Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

802.1x Dynamic VLAN Switching Question

Trying to set up 802.1x dynamic VLAN switching, and have a question. I think I've gotten it working except for one part. The VLAN on a protected interface is never getting switched. I can see an entry in the ACS stating that it applied the appropriate VLAN via RADIUS response, but it never changes on the switch.

Environment:

ACS Express 5.0.1

C3550 running c3550-ipbasek9-mz.122-44.SE6.bin

Switch config:

aaa new-model

aaa group server radius dot1x

server-private 10.10.1.4 auth-port 1645 acct-port 1646 key 7 071C244F5C0C0D544541

aaa authentication dot1x default group dot1x
dot1x system-auth-control
dot1x guest-vlan supplicant
interface FastEthernet0/3
switchport access vlan 3
switchport mode access
speed 100
duplex full
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast
ip radius source-interface FastEthernet0/1 vrf default!
radius-server host 10.10.1.4 auth-port 1645 acct-port 1646 key 7 01000307490E125E731F
Am I missing something easy?

2 REPLIES
Cisco Employee

Re: 802.1x Dynamic VLAN Switching Question

The output of "debug radius"  should help, can you capture it and post it?

New Member

Re: 802.1x Dynamic VLAN Switching Question

It looks like "aaa authorization network default group dot1x" was the missing command I needed to get this working.

The only issue I'm having now is that if the client fails to meet the authentication requirements, the line status gets set as "down"

461
Views
0
Helpful
2
Replies
CreatePlease to create content