[c-nsp] Dot1x stuck in guest-vlan

Scott Keoseyan scott at labyrinth.org
Tue Jun 2 19:58:52 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you're using the Microsoft supplicant, you may need to make a  
registry change to force the supplicant to issue an EAPOL start to  
initialize the state machine on the port.

See:

http://technet.microsoft.com/en-us/network/cc987603.aspx


The SupplicantMode registry value (HKEY_LOCAL_MACHINE\Software 
\Microsoft\EAPOL\Parameters \General\Global\SupplicantMode) affects  
the behavior of an 802.1X supplicant when sending EAP over LAN (EAPOL)- 
Start packets during 802.1X authentication. The SupplicantMode value  
can be set to the following:

     * 0 - Disable IEEE 802.1X operation.
     * 1 - Never send an EAPOL-Start packet.
     * 2 - Automatically determine when to initiate the transmission  
of EAPOL-Start packets. This is the default value for wired connections.
     * 3 - Send an EAPOL-Start message upon association to initiate  
the 802.1X authentication process, for compliance with the IEEE 802.1X  
specification.



On Jun 2, 2009, at 11:21 AM, Pavel Skovajsa wrote:

> Hello all,
>
> I am struggling with the way the Guest Vlan is handled in dot1x.
> All the port states work just fine, except during workstation boot-up
> the switch does not receive dot1x packets from workstation dot1x
> client hence forcing the port to fall into Guest Vlan, as below:
>
> =============================================
> C3560#sh authentication sessions interface fa0/38
>            Interface:  FastEthernet0/38
>          MAC Address:  Unknown
>           IP Address:  Unknown
>            User-Name:  UNRESPONSIVE
>               Status:  Authz Success
>               Domain:  DATA
>       Oper host mode:  multi-host
>     Oper control dir:  both
>        Authorized By:  Guest Vlan
>          Vlan Policy:  330
>      Session timeout:  N/A
>         Idle timeout:  N/A
>    Common Session ID:  0A821A5C00003727DE21D3A1
>      Acct Session ID:  0x000045A8
>               Handle:  0x63000727
>
> Runnable methods list:
>       Method   State
>       dot1x    Failed over
> ==============================================
>
> Once PC and its dot1x client or supplicant is up and running the port
> status does not change as I would expect - to production Vlan.
> The only remedy here is to shut / no shut the port.
>
> port config:
> ====================
> interface FastEthernet0/38
> switchport access vlan 100
> switchport mode access
> switchport voice vlan 500
> priority-queue out
> authentication event fail action authorize vlan 330
> authentication event server dead action authorize vlan 100
> authentication event no-response action authorize vlan 330         <=
> it works without this command for compliant users, however
> non-compliant guest machines would not be allowed any network
> connectivity at all
> authentication event server alive action reinitialize
> authentication port-control auto
> authentication periodic
> authentication timer restart 20
> authentication timer reauthenticate 20
> authentication timer inactivity 120
> mls qos trust device cisco-phone
> mls qos trust cos
> dot1x pae authenticator
> dot1x timeout server-timeout 100
> dot1x timeout tx-period 2
> dot1x timeout supp-timeout 10
> spanning-tree portfast
> end
> ===========================
>
> Many thanks for any hints,
>
> Pavel Skovajsa
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

- --
Scott Keoseyan
scott at labyrinth.org
Homepage - http://www.labyrinth.org/homepages/scott
Blog - http://www.labyrinth.org/wp1
PGP Key - http://www.labyrinth.org/homepages/scott/pgp.html




-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.11 (Darwin)

iEYEARECAAYFAkolvMAACgkQA7TpMPAlvEdl1gCeOKWRQybwDsfo+rJ5sqX/cXs1
MZYAn1X37ReSSi1zIkGcELpLeaMv1yqp
=X0L3
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list