[c-nsp] Dot1x stuck in guest-vlan

Pavel Skovajsa pavel.skovajsa at gmail.com
Tue Jun 2 11:21:21 EDT 2009 

Hello all,

I am struggling with the way the Guest Vlan is handled in dot1x.
All the port states work just fine, except during workstation boot-up
the switch does not receive dot1x packets from workstation dot1x
client hence forcing the port to fall into Guest Vlan, as below:

=============================================
C3560#sh authentication sessions interface fa0/38
            Interface:  FastEthernet0/38
          MAC Address:  Unknown
           IP Address:  Unknown
            User-Name:  UNRESPONSIVE
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-host
     Oper control dir:  both
        Authorized By:  Guest Vlan
          Vlan Policy:  330
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A821A5C00003727DE21D3A1
      Acct Session ID:  0x000045A8
               Handle:  0x63000727

Runnable methods list:
       Method   State
       dot1x    Failed over
==============================================

Once PC and its dot1x client or supplicant is up and running the port
status does not change as I would expect - to production Vlan.
The only remedy here is to shut / no shut the port.

port config:
====================
interface FastEthernet0/38
 switchport access vlan 100
 switchport mode access
 switchport voice vlan 500
 priority-queue out
 authentication event fail action authorize vlan 330
 authentication event server dead action authorize vlan 100
 authentication event no-response action authorize vlan 330         <=
it works without this command for compliant users, however
non-compliant guest machines would not be allowed any network
connectivity at all
 authentication event server alive action reinitialize
 authentication port-control auto
 authentication periodic
 authentication timer restart 20
 authentication timer reauthenticate 20
 authentication timer inactivity 120
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout server-timeout 100
 dot1x timeout tx-period 2
 dot1x timeout supp-timeout 10
 spanning-tree portfast
end
===========================

Many thanks for any hints,

Pavel Skovajsa

More information about the cisco-nsp mailing list