Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

dot1x auth-fail vlanX not working

Hi,

I have configured 802.1x on a fas0/3 and works fine.

I'm testing to configure a restricted VLAN on that port and it does not work.

This is the configuration:

interface FastEthernet0/3
switchport access vlan 11
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x auth-fail vlan 30
dot1x auth-fail max-attempts 2

When PC connected to Fas0/3 failed the authentication two times it should switch to VLAN 30 but it's not happening (port fas0/3 remains in VLAN 11 in up/down state)

SHOW VLAN:

11   VLAN0011                         active    Fa0/2, Fa0/3, Fa0/4  
30   RESTRICTED                       active

sw1#sh dot1x interface fas 0/3
Dot1x Info for FastEthernet0/3
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
Auth-Fail-Vlan            = 30
Auth-Fail-Max-attempts    = 2

This is a 2960 running c2960-lanbase-mz.122-35.SE5, what I'm missing?

Federico.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: dot1x auth-fail vlanX not working

Ferderico,

     How are you testing the Auth-Fail VLAN?  If you are testing with a bad password and using PEAP this is considerred a retriable error which may not cause an Access-Reject from the RADIUS server, instead the password can be retried without first tearing down the TLS tunnel via an Access-Reject.  As configured it would take 3 Access-Rejects from the RADIUS server to be placed into the auth-fail VLAN.  If I remember correctly a bad username is also retriable.

     If you are using ACS 5 you can turn down the number of PEAP retries to 1 in which case you would need to fail login 6 times with a bad password to hit the auth-fail VLAN.

--Jesse

4 REPLIES
Cisco Employee

Re: dot1x auth-fail vlanX not working

Ferderico,

     How are you testing the Auth-Fail VLAN?  If you are testing with a bad password and using PEAP this is considerred a retriable error which may not cause an Access-Reject from the RADIUS server, instead the password can be retried without first tearing down the TLS tunnel via an Access-Reject.  As configured it would take 3 Access-Rejects from the RADIUS server to be placed into the auth-fail VLAN.  If I remember correctly a bad username is also retriable.

     If you are using ACS 5 you can turn down the number of PEAP retries to 1 in which case you would need to fail login 6 times with a bad password to hit the auth-fail VLAN.

--Jesse

Re: dot1x auth-fail vlanX not working

Jesse,

Thank you very much.

I changed the

dot1x auth-fail max-attempts 2

to

dot1x auth-fail max-attempts 1

and now it works!

The weird thing is that it still prompts me twice for authentication, gives me auth fail error, but I check the switch and port F0/3 is now on VLAN 30 (as expected).

If I change it back to dot1x auth-fail max-attempts 2, it prompts me twice for authentication, auth fails, but the switch will keep F0/3 on VLAN 11.

It is working, however it's strange isn't it?

Yes.. I am making the test using bad user/pass.

Federico.

Cisco Employee

Re: dot1x auth-fail vlanX not working

Great,

     This is the retriable error I was mentioning.  The password can be retried inside the TLS tunnel without an Access-Reject being sent fromt the RADIUS server.  So while you are failing on the supplicant side twice the switch only sees this as a single failure.

--Jesse

Re: dot1x auth-fail vlanX not working

Great stuff!

Thank you Jesse.

Federico.

713
Views
0
Helpful
4
Replies
CreatePlease to create content