Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1552
Views
0
Helpful
4
Replies

dot1x auth-fail vlanX not working

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎10-07-2010 08:10 AM - edited ‎03-09-2019 11:12 PM

Hi,

I have configured 802.1x on a fas0/3 and works fine.

I'm testing to configure a restricted VLAN on that port and it does not work.

This is the configuration:

interface FastEthernet0/3
switchport access vlan 11
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x auth-fail vlan 30
dot1x auth-fail max-attempts 2

When PC connected to Fas0/3 failed the authentication two times it should switch to VLAN 30 but it's not happening (port fas0/3 remains in VLAN 11 in up/down state)

SHOW VLAN:

11   VLAN0011                         active    Fa0/2, Fa0/3, Fa0/4  
30   RESTRICTED                       active

sw1#sh dot1x interface fas 0/3
Dot1x Info for FastEthernet0/3
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
Auth-Fail-Vlan            = 30
Auth-Fail-Max-attempts    = 2

This is a 2960 running c2960-lanbase-mz.122-35.SE5, what I'm missing?

Federico.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jedubois
Cisco Employee
Cisco Employee

‎10-07-2010 12:57 PM

Ferderico,

     How are you testing the Auth-Fail VLAN?  If you are testing with a bad password and using PEAP this is considerred a retriable error which may not cause an Access-Reject from the RADIUS server, instead the password can be retried without first tearing down the TLS tunnel via an Access-Reject.  As configured it would take 3 Access-Rejects from the RADIUS server to be placed into the auth-fail VLAN.  If I remember correctly a bad username is also retriable.

     If you are using ACS 5 you can turn down the number of PEAP retries to 1 in which case you would need to fail login 6 times with a bad password to hit the auth-fail VLAN.

--Jesse

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jedubois
Cisco Employee
Cisco Employee

‎10-07-2010 12:57 PM

Ferderico,

     How are you testing the Auth-Fail VLAN?  If you are testing with a bad password and using PEAP this is considerred a retriable error which may not cause an Access-Reject from the RADIUS server, instead the password can be retried without first tearing down the TLS tunnel via an Access-Reject.  As configured it would take 3 Access-Rejects from the RADIUS server to be placed into the auth-fail VLAN.  If I remember correctly a bad username is also retriable.

     If you are using ACS 5 you can turn down the number of PEAP retries to 1 in which case you would need to fail login 6 times with a bad password to hit the auth-fail VLAN.

--Jesse

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to jedubois

‎10-07-2010 01:18 PM

Jesse,

Thank you very much.

I changed the

dot1x auth-fail max-attempts 2

to

dot1x auth-fail max-attempts 1

and now it works!

The weird thing is that it still prompts me twice for authentication, gives me auth fail error, but I check the switch and port F0/3 is now on VLAN 30 (as expected).

If I change it back to dot1x auth-fail max-attempts 2, it prompts me twice for authentication, auth fails, but the switch will keep F0/3 on VLAN 11.

It is working, however it's strange isn't it?

Yes.. I am making the test using bad user/pass.

Federico.

0 Helpful

Go to solution
jedubois
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎10-07-2010 01:23 PM

Great,

     This is the retriable error I was mentioning.  The password can be retried inside the TLS tunnel without an Access-Reject being sent fromt the RADIUS server.  So while you are failing on the supplicant side twice the switch only sees this as a single failure.

--Jesse

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to jedubois

‎10-07-2010 01:39 PM

Great stuff!

Thank you Jesse.

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents