Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with Machine Authentication and 802.1x Authentication

Hello,

I would like to configure Dot1x authentication on each switch interface that belongs to data and voice vlan such as for eg:

Interface FastEthernet 1/1

switchport access vlan 10

switchport voice vlan 20

But it is not allowed to configure Dot1x on these interfaces, Our aim is to provide authorized access to our LAN either by Dot1x Authentication or through Machine Authentication.

Now I am having the following doubts

1.Is Dot1x configurations on switch ports is a part of Machine Authentication procedure

2.What kind of configurations is required on switch port interface to enable machine authentication

3.And how the individual switch port is controlled in case of machine authentication.

Your kind response will be appreciated and thanks in advance.

Best Regards,

Ahmed

4 REPLIES
Cisco Employee

Re: Problem with Machine Authentication and 802.1x Authenticatio

You need to configure the following on the port:

Swichport mode access

Hth,

New Member

Re: Problem with Machine Authentication and 802.1x Authenticatio

Thanks for the immediate response,I verified the Switchport mode access is configured but still Dot1x is not allowed to configured.

Thanks and Regards

Re: Problem with Machine Authentication and 802.1x Authenticatio

What is the model switch and IOS/CATOS version running. What is the current AAA and DOT1X global settings. What is the configuration for the port. What is the command that you are entering that is failing.

New Member

Re: Problem with Machine Authentication and 802.1x Authenticatio

Hello,

Thanks for the kind response, please be updated on the following

1. IOS Version and Model:

Cisco Internetwork Operating System Software IOS (tm) s3223_rp Software (s3223_rp-IPBASEK9-M), Version 12.2(18)SXF4, RELEASE SOFTWARE (fc1)

cisco WS-C6509-E (R7000) processor (revision 1.2) with 227328K/34816K bytes of memory.Processor board ID SMC1022009Q

2. AAA and DOT1x global configs:

aaa new-model

aaa authentication fail-message ^CCCUsername or Password is not Correct^C

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group radius

aaa authorization config-commands

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting send stop-record authentication failure

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host x.x.x.x

tacacs-server host y.y.y.y

tacacs-server key zzz

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key zzz

radius-server host y.y.y.y auth-port 1645 acct-port 1646 key zzz

radius-server source-ports 1645-1646

3. Port Configs:

sh run interface fa2/6

Building configuration...

Current configuration : 139 bytes

!

interface FastEthernet2/6

switchport

switchport access vlan 101

switchport mode access

switchport voice vlan 102

no ip address

end

4. Dot1x command output:

dot1x port-control auto

Command rejected: One or more ports configured with voice vlan.

Dot1x can't be enabled on voice vlan configured ports.

Hope this information will help you to suggest a feasible solution.

Once again Thanks

Kind Regards,

205
Views
0
Helpful
4
Replies