Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1285
Views
10
Helpful
2
Replies

Dot1x: not failling over to guest-vlan

Go to solution
Eric Turenne
Level 1
Level 1

‎12-01-2014 11:26 AM - edited ‎03-10-2019 10:13 PM

Hello,

I'm deploying dot1x in the office and I'm having little difficulty with enabling both dot1x with mab and then fail over to the guest vlan.

A simple scenario where an end user device cannot provide authentication, I want the switch to automatically put the user on the guest vlan. I did not enable periodic authentication to lower down excessive authentications and I configured maximum attemps but the switch will constantly try to authenticate the device.

Switch model: WS-C2960-24LT-L with 15.0(2)SE6.

Switch configuration:

aaa accounting dot1x default start-stop group radius
aaa authentication dot1x default group radius
dot1x system-auth-control

Port configuration:

interface FastEthernet0/15
 switchport access vlan 144
 switchport mode access
 authentication event fail action next-method
 authentication event server dead action authorize vlan 550
 authentication event no-response action authorize vlan 550
 authentication host-mode single-host
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x max-req 3
 dot1x max-reauth-req 1
 spanning-tree portfast
!

Any help will be greatly appreciated.

 

UPDATE: See comment below.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Eric Turenne

‎12-02-2014 10:11 PM

Good job on solving your own problem Oliver and for taking the time to update everyone here! (+5 from me). If your issue is solved you should mark the thread as answered ;)

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Eric Turenne
Level 1
Level 1

‎12-01-2014 01:27 PM

I found a solution where 'event fail action next-method' would likely trigger the next authentication method without failing over. I also removed the priority and order commands as the switch will process on the intended order.

Here is the result:

interface FastEthernet0/16
 switchport access vlan 144
 switchport mode access
 authentication event fail action authorize vlan 550
 authentication event server dead action authorize vlan 550
 authentication event no-response action authorize vlan 550
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x max-req 3
 dot1x max-reauth-req 1
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Hope this help someone else.

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Eric Turenne

‎12-02-2014 10:11 PM

Good job on solving your own problem Oliver and for taking the time to update everyone here! (+5 from me). If your issue is solved you should mark the thread as answered ;)

0 Helpful
Customers Also Viewed These Support Documents