12-28-2006 05:30 PM - edited 03-10-2019 02:53 PM
Hi all,
I'm implementing 802.1x using Catalyst 3560 and MS IAS as radius server. The plan is, every PC needs to authenticate using PEAP with radius and assigned to a VLAN. Fail authentication will be assigned to guest VLAN.
The problem is when I'm testing a PC, set the PC withouth 802.1x enabled, plug it to the 3560 port, the port keeps that PC packets discarded forever. I remove dot1x configuration on the interface, but it keep discard all packets (can't ping anywhere). When I plugged the PC to other port with the same configuration (no dot1x), it works. I have tried shut and no shut the interface, disable - enable devices, remove config and etc but the PC can't ping anywhere.
I'm happy to paste the config. Could anyone please explain me why it happens and what is the solution? Many thanks.
Solved! Go to Solution.
12-29-2006 09:13 AM
Here's an example config that should work:
interface GigabitEthernet1/0/5
switchport access vlan 31
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 35
dot1x auth-fail vlan 35
end
This should NOT keep a non-1x machine from accessing the network forever. With the above, and default timers, it's a 90-sec timeout of 802.1X. You can tweak the tx-period and the maz-reauth-req variable to get this down to 2-sec if you wish. If you remove 802.1X, then this should also not discard packets. If the 2 items above are truly occurring, then you have hit a software bug, and a TAC case should be opened immediately. Are you sure something like DHCP just hasn't timed out on you though?
NOTE: The config above has vlan 35 for the guest-vlan being equal to the auth-fail-vlan based on you stating the need for this above. It could be different than the guest-vlan if you wanted it to be. Either/both could be the same vlan as what's statically configured on the port as well [31].
Hope this helps,
12-29-2006 09:13 AM
Here's an example config that should work:
interface GigabitEthernet1/0/5
switchport access vlan 31
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 35
dot1x auth-fail vlan 35
end
This should NOT keep a non-1x machine from accessing the network forever. With the above, and default timers, it's a 90-sec timeout of 802.1X. You can tweak the tx-period and the maz-reauth-req variable to get this down to 2-sec if you wish. If you remove 802.1X, then this should also not discard packets. If the 2 items above are truly occurring, then you have hit a software bug, and a TAC case should be opened immediately. Are you sure something like DHCP just hasn't timed out on you though?
NOTE: The config above has vlan 35 for the guest-vlan being equal to the auth-fail-vlan based on you stating the need for this above. It could be different than the guest-vlan if you wanted it to be. Either/both could be the same vlan as what's statically configured on the port as well [31].
Hope this helps,
01-01-2007 04:52 PM
Hi jafrazie
Thank you for your reply.
Seem my IOS 12.2-25(SEB4) didn't support dot1x auth-fail. I need to update my IOS first and let you up-to-date.
Anyway, is there any command to refresh dot1x interface status or do you have any idea what makes the switch interface block the machine? At the moment, the port keeps blocking the specific machine. I don't know whether the IAS or Switch has the authority to unblock it. Your opinion will be highly appreciated.
Thanks again.
01-02-2007 07:41 AM
OK, so apologies. There's a fine line b/t auth-fail and auth-timeout ;-). You need the auth-fail-vlan if you ever want to try and give network access to something that actually fails authc. Please reference this with your security policies BTW.
If you need to take a look at the real-time state on the port, just repeat the "show dot1x interface
Auth failure can block access for a machine (b/c it's supposed to be default). Auth timeout can block access for a machine (b/c it's supposed to by default). Typcially, the authority for this is your IAS server, so authc presumably works successfully to unblock access.
Does this help?
01-02-2007 06:51 PM
Hi jafrazie,
Thanks again for your explanations.
With the new IOS, it looks fine now. Auth-fail definitely a good feature compare to previous limited dot1x commands.
With my problem, I'm sure auth timeout is not the one that block the machine, I did let the machine ping -t the gateway for couple of minutes. The "show dot1x interface" didn't show any error state. It even didn't give access to guest VLAN. Still wondering what cause it.
Do you mind to explain me the why we need guest-vlan if we already has auth-fail?
01-02-2007 09:13 PM
The Guest-VLAN can give network access to 802.1X-incapable devices (like a printer). Instead of implicitly denying access (which is the default), authentication can timeout, and the port can be enabled nonetheless.
The Auth-Fail-VLAN is similar to the above, except that it addresses an actual failure or invaliad credantials (instead of lack of credentials entirely).
Hope this helps,
01-03-2007 04:19 PM
it does help =) thanks for all your explanation and helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide