Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
4
Replies

802.1x works on 2950 but not 3560 ?

kelvindam
Level 1
Level 1

‎01-15-2007 08:44 AM - edited ‎03-10-2019 02:55 PM

Hi all,

I have a issue where 802.1x is configured on a 2950 switch.

The same config is applied to a 3560 (with new IOS). Both switches are created in ACS 4.x and the 2950 authenticates correctly and changes the port in with the PC is authenticated in the right VLAN. When I try to put this PC into a 802.1x enabled port on the 3560, it gets authenticated/passing postures etc. but the VLAN on the switch doesnt change? on the ACS everything looks ok....but the VLAN doesnt change on the 3560.

Both switches are in the same VTP and can distribute VLANS among them.

Any ideas?

Kdam

Labels:
0 Helpful
4 Replies 4

jafrazie
Cisco Employee
Cisco Employee

‎01-15-2007 11:59 AM

This should work.

Do you have the following configured on the 3560?

aaa authorization network default group radius

What is the value for RADIUS attribute[81] you're sending back from ACS in both/either case?

0 Helpful

kelvindam
Level 1
Level 1
In response to jafrazie

‎01-16-2007 12:49 AM

Yes, I have the aaa auth network default group radius in both switches.

What I do not have tho, is

"aaa accounting dot1x default start-stop group radius"...that command it will not accept. But it should work without that I reckon ?

My [81] value is 1 - default vlan.

The Nac/802.1x ports are configged as follows :

switchport access vlan 20

switchport mode access

dot1x port-control auto

dot1x guest-vlan 20

dot1x reauthentication

spanning-tree portfast

!

I've just tried with another 2950 switch, and that actually have the same issue...so I wonder if its something on the acs Im missing....?

Edited :

I debuged the dot1x on both the working switch, and the malfuntioning one : Heres a interesting part of it :

from the working switch

6d00h: dot1x-ev: GuestVlan configured=0

6d00h: dot1x-registry:** dot1x_vp_statechange:

6d00h: dot1x-ev:vlan 1 vp is added on the interface FastEthernet0/10

6d00h: dot1x-registry:dot1x_port_modechange invoked on interface FastEthernet0/10

6d00h: dot1x-ev:dot1x_port_authorized: clearing HA table from vlan 1

from the malfuntioning switch

1w2d: dot1x-ev: GuestVlan configured=0

1w2d: dot1x-registry:** dot1x_vp_statechange:

1w2d: dot1x-ev:vlan 20 vp is added on the interface FastEthernet0/23

1w2d: dot1x-registry:dot1x_port_modechange invoked on interface FastEthernet0/23

1w2d: dot1x-ev:dot1x_port_authorized: clearing HA table from vlan 1

Even though they are the same in the config, and the same profile in ACS.

They should most definately recieve the same VLAN.

Kind regards

Kdam

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to kelvindam

‎01-16-2007 07:37 AM

It should work w/o "aaa acounting .." This is for RADIUS accounting, but this should also work depending on your code rev.

If I could ask a dumb question .. why are you bothering to do VLAN assignment, if the port above is already in VLAN1, and you're trying to re-assign it over RADIUS to the same thing?

Just for giggles, try setting it to something other than 1. You may have hit a bug for the scenario.

0 Helpful

kelvindam
Level 1
Level 1
In response to jafrazie

‎01-16-2007 02:29 PM

The port is not in vlan 1...they start in VLAN 20, and on authentication and valid posture, should be assigned to VLAN 1

/Kdam

0 Helpful
Customers Also Viewed These Support Documents