Re: Cisco 2960 802.1x multi-auth with dynamic VLAN assignment

matthewceroni · ‎01-21-2014

Hi:

I have a Cisco 2960 running 12.2(50) SE5 LAN base image. When trying to configure 802.1x in multi-auth host mode I am unable to get my clients to successfully connect.

Under a normal circumstance (ie: no multi-auth host mode enable) 802.1x clients authenticate and are correctly placed into the VLAN returned by the radius server. This is validated through the following commands:

CM-SRSW09#show authentication interface fa0/1

Client list:

Interface MAC Address Method Domain Status Session ID

Fa0/1 5c26.0a1a.6565 dot1x DATA Authz Success C0A8666D0000000315DD2B66

Available methods list:

Handle Priority Name

3 0 dot1x

Runnable methods list:

Handle Priority Name

3 0 dot1x

The show vlan commands shows interface Fa0/1 next to VLAN 102. Fa0/1 is the interface I am testing with and VLAN 102 is the VLAN returned by the radius server. The client (just a standard Windows 7 sytems) then obtains the correct IP address for that network segment.

However when I try to use multi-auth host mode (through the use of authentication host-mode multi-auth) I am not able to get a valid IP address on the client. The configuration for the port is as such:

interface FastEthernet0/1

description 802.1x TEST PORT

switchport mode access

authentication host-mode multi-auth

authentication port-control auto

dot1x pae authenticator

!

The command show authentication still shows that the client is in Authz Success status for the DATA domain.

CM-SRSW09#show authentication interface fa0/1

Client list:

Interface MAC Address Method Domain Status Session ID

Fa0/1 5c26.0a1a.6565 dot1x DATA Authz Success C0A8666D0000000315DD2B66

However the show vlan output does not show interface Fa0/1 next to VLAN 102 anymore. Reading the documentation for multi-auth mode there are a few sections that I am not sure I fully understand:

1) the host is the first host authorized on the port, and the RADIUS server supplies VLAN information

2) subsequent hosts are authorized with a VLAN that matches the operational VLAN

3) a host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN

So if I am reading that correctly the first host will authenticate and whatever VLAN info is returned from the radius server becomes the operational VLAN. In my testing case there are no other clients but the first one I authenticate, so VLAN 102 should become the operational VLAN. Any subsequent hosts that try to authenticate either have to have no VLAN information supplied from the Radius server or it must match the operational VLAN (so 102 in this case).

If all that is correct then after the initial client authenticates I believe I should still see Fa0/1 next to VLAN 102 from the output of show vlan (since the port can only ever be in one VLAN even in multi-auth mode). Since it doesn't I think my problem centers around the dynamic VLAN assignment portion.

Thanks

hdussa · ‎01-28-2014

Hi Matthew,

a little bit strange. But Mult-auth means 1 Device in a Voice-Domain and multiple in the Data-Domain.

I use this in production. My Portkonfig differs from your Config.

switchport access vlan 998 (not routed)

switchport mode access

switchport voice vlan 24

authentication event fail action next-method

authentication host-mode multi-auth

authentication order mab dot1x

authentication port-control auto

authentication timer inactivity server

authentication violation replace

mab

dot1x pae authenticator

dot1x timeout tx-period 1

dot1x max-req 3

dot1x max-reauth-req 1

no mdix auto

no cdp enable

spanning-tree portfast

spanning-tree bpduguard disable

Maybe it helps