Solved: Re: 802.1x fail authentication - packets keep discarded

rpratikno · ‎12-28-2006

Hi all,

I'm implementing 802.1x using Catalyst 3560 and MS IAS as radius server. The plan is, every PC needs to authenticate using PEAP with radius and assigned to a VLAN. Fail authentication will be assigned to guest VLAN.

The problem is when I'm testing a PC, set the PC withouth 802.1x enabled, plug it to the 3560 port, the port keeps that PC packets discarded forever. I remove dot1x configuration on the interface, but it keep discard all packets (can't ping anywhere). When I plugged the PC to other port with the same configuration (no dot1x), it works. I have tried shut and no shut the interface, disable - enable devices, remove config and etc but the PC can't ping anywhere.

I'm happy to paste the config. Could anyone please explain me why it happens and what is the solution? Many thanks.

jafrazie · ‎12-29-2006

Here's an example config that should work:

interface GigabitEthernet1/0/5

switchport access vlan 31

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 35

dot1x auth-fail vlan 35

end

This should NOT keep a non-1x machine from accessing the network forever. With the above, and default timers, it's a 90-sec timeout of 802.1X. You can tweak the tx-period and the maz-reauth-req variable to get this down to 2-sec if you wish. If you remove 802.1X, then this should also not discard packets. If the 2 items above are truly occurring, then you have hit a software bug, and a TAC case should be opened immediately. Are you sure something like DHCP just hasn't timed out on you though?

NOTE: The config above has vlan 35 for the guest-vlan being equal to the auth-fail-vlan based on you stating the need for this above. It could be different than the guest-vlan if you wanted it to be. Either/both could be the same vlan as what's statically configured on the port as well [31].

Hope this helps,

View solution in original post

jafrazie · ‎12-29-2006

Here's an example config that should work:

interface GigabitEthernet1/0/5

switchport access vlan 31

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 35

dot1x auth-fail vlan 35

end

This should NOT keep a non-1x machine from accessing the network forever. With the above, and default timers, it's a 90-sec timeout of 802.1X. You can tweak the tx-period and the maz-reauth-req variable to get this down to 2-sec if you wish. If you remove 802.1X, then this should also not discard packets. If the 2 items above are truly occurring, then you have hit a software bug, and a TAC case should be opened immediately. Are you sure something like DHCP just hasn't timed out on you though?

NOTE: The config above has vlan 35 for the guest-vlan being equal to the auth-fail-vlan based on you stating the need for this above. It could be different than the guest-vlan if you wanted it to be. Either/both could be the same vlan as what's statically configured on the port as well [31].

Hope this helps,

rpratikno · ‎01-01-2007

Hi jafrazie

Thank you for your reply.

Seem my IOS 12.2-25(SEB4) didn't support dot1x auth-fail. I need to update my IOS first and let you up-to-date.

Anyway, is there any command to refresh dot1x interface status or do you have any idea what makes the switch interface block the machine? At the moment, the port keeps blocking the specific machine. I don't know whether the IAS or Switch has the authority to unblock it. Your opinion will be highly appreciated.

Thanks again.

jafrazie · ‎01-02-2007

OK, so apologies. There's a fine line b/t auth-fail and auth-timeout ;-). You need the auth-fail-vlan if you ever want to try and give network access to something that actually fails authc. Please reference this with your security policies BTW.

If you need to take a look at the real-time state on the port, just repeat the "show dot1x interface " command.

Auth failure can block access for a machine (b/c it's supposed to be default). Auth timeout can block access for a machine (b/c it's supposed to by default). Typcially, the authority for this is your IAS server, so authc presumably works successfully to unblock access.

Does this help?

rpratikno · ‎01-02-2007

Hi jafrazie,

Thanks again for your explanations.

With the new IOS, it looks fine now. Auth-fail definitely a good feature compare to previous limited dot1x commands.

With my problem, I'm sure auth timeout is not the one that block the machine, I did let the machine ping -t the gateway for couple of minutes. The "show dot1x interface" didn't show any error state. It even didn't give access to guest VLAN. Still wondering what cause it.

Do you mind to explain me the why we need guest-vlan if we already has auth-fail?

jafrazie · ‎01-02-2007

The Guest-VLAN can give network access to 802.1X-incapable devices (like a printer). Instead of implicitly denying access (which is the default), authentication can timeout, and the port can be enabled nonetheless.

The Auth-Fail-VLAN is similar to the above, except that it addresses an actual failure or invaliad credantials (instead of lack of credentials entirely).

Hope this helps,

rpratikno · ‎01-03-2007

it does help =) thanks for all your explanation and helps.