Dot1x Guest VLAN

From: Bob Nelson (nelsnjr@cox.net)
Date: Tue Jun 14 2005 - 21:32:03 GMT-3

• Next message: John Matus: "IE V2.0 hsrp"
• Previous message: John Matus: "RE: IE V2 LAB 9 SECURITY [bcc][faked-from]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello All:

I am working with 3550s, a W2k PC with SP4, and Cisco ACS server version
3.3. I have been able to get the basic dot1x authentication to work
correctly without issue, but when I moved on to using the guest VLAN I have
some issues. My understanding is that a workstation without the dot1x
supplicant running, upon log in to the network, would not answer the
switches requests for dot1x authentication and would be placed in the guest
vlan, where the supplicant could be downloaded, etc.. I configured this by
adding the dot1x guest-vlan 152 command on the interface to which the laptop
is connected. If the laptop has a supplicant, it should prompt me to login
to the network, but not directly attach to the guest vlan.

The reaction to this is that the laptop boots, attaches to the network and
connects to the guest vlan. I am never prompted by the supplicant services
to login
to the network and be assigned the correct vlan (172). If I remove the dot1x
guest-vlan 152 from the interface, the laptop then prompts me for my
username and password, at which point, the ACS server assigns me to the
proper vlan (172)

The other command I am confused about is the dot1x guest-vlan supplicant
command. I have seen two different explanations for this option and neither
was clear. Can someone help?

Thanks
Bob

Here is the switch config.
hostname cat3550-1
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
ip routing
ip subnet-zero
!
no ip domain-lookup
!
spanning-tree mode pvst
spanning-tree extend system-id
dot1x system-auth-control
dot1x guest-vlan supplicant
!
!
interface FastEthernet0/22
 switchport mode access
 dot1x port-control auto
 dot1x timeout reauth-period 500
 dot1x guest-vlan 152
 dot1x reauthentication
 spanning-tree portfast
!
interface Vlan152
 ip address 172.30.10.2 255.255.255.0
 ip helper-address 172.29.10.4
!
interface Vlan172
 ip address 172.29.10.2 255.255.255.0
!
router rip
 version 2
 network 172.29.0.0
 network 172.30.0.0
 no auto-summary
!
ip classless
no ip http server
!
radius-server host 172.29.10.4 auth-port 1812 acct-port 1813 key cisco
radius-server retransmit 3
!
end

• Next message: John Matus: "IE V2.0 hsrp"
• Previous message: John Matus: "RE: IE V2 LAB 9 SECURITY [bcc][faked-from]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3