Comware Based
1748274 Members
4086 Online
108761 Solutions
New Discussion

Dot1x allowing non authenticated wired users on the network

 
JJFORTI
Occasional Contributor

Dot1x allowing non authenticated wired users on the network

Hi,

 

I am in the testing phase of dot1x for wired user authentication. I am using a 7506 switch running comware 5.20.

 

below is the global configuration:

 

 

#
 radius nas-ip 10.1.2.211
#
 domain default enable domain.org
#
 ip ttl-expires enable
 ip unreachables enable
#
 lldp enable
 lldp compliance cdp
#
 port-security enable
#
 dot1x quiet-period
 dot1x timer quiet-period 30
 dot1x retry 3
 dot1x timer handshake-period 30
 dot1x authentication-method eap
#
radius scheme radius_auth
 primary authentication 10.158.50.2 key cipher xxxxxxx
 primary accounting 10.158.50.2 key cipher xxxxxxx
 secondary authentication 10.58.50.72 key cipher xxxxxxx
 secondary accounting 10.58.50.2 key cipher xxxxxxx
 user-name-format without-domain
 accounting-on enable
#
domain domain.org
 authentication login hwtacacs-scheme tacacs_auth local
 authorization login hwtacacs-scheme tacacs_auth local
 accounting login hwtacacs-scheme tacacs_auth local
 authentication lan-access radius-scheme radius_auth
 authorization lan-access radius-scheme radius_auth
 accounting lan-access radius-scheme radius_auth
 access-limit disable
 state active   
 idle-cut disable
 self-service-url disable
#

 

 

 

The interface configuration:

 

 

#
interface GigabitEthernet2/0/42
 port link-mode bridge
 description Wall Plate # 13
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 2265 tagged
 port hybrid vlan 2264 untagged
 port hybrid pvid vlan 2264
 undo voice vlan mode auto
 voice vlan qos trust
 voice vlan 2265 enable
 poe enable
 lldp compliance admin-status cdp txrx
 qos trust dscp
 port-security port-mode userlogin-secure-or-mac
 undo dot1x handshake
 dot1x mandatory-domain domain.org
 dot1x unicast-trigger
#

 

 

 

The plan is to get dot1x for data VLAN and ip phones get MAB authenticated on the voice VLAN. Also, I already configured my RADIUS server (Cisco ISE). Now when I connect my laptop without a supplicant configured, the connection hangs in there for 30 seconds or so, and then I get full network access. Basically, I am not authenticating but it is still letting me in.  Even when I configured my supplicant, I am still failing the authentication on the RADIUS server, but the switch is letting me in after 30 seconds.  What am I missing?

Below is the output of the dot1x interface command:

 

 

<SW-HP-01>disp dot1x interface gig 2/0/42
 Equipment 802.1X protocol is enabled
 EAP authentication is enabled
 Proxy trap checker is disabled
 Proxy logoff checker is disabled
 EAD quick deploy is disabled

 Configuration: Transmit Period   30 s,  Handshake Period       30 s
                Quiet Period      30 s,  Quiet Period Timer is enabled
                Supp Timeout      30 s,  Server Timeout        100 s
                Reauth Period   3600 s
                The maximal retransmitting times    3
 EAD quick deploy configuration:
                EAD timeout:   30 m

 The maximum 802.1X user resource number is 2048 per slot
 Total current used 802.1X resource number is 0

 GigabitEthernet2/0/42  is link-up
   802.1X protocol is enabled
   Proxy trap checker is   disabled
   Proxy logoff checker is disabled
   Handshake is disabled
   Handshake secure is disabled
   802.1X unicast-trigger is enabled
   Periodic reauthentication is disabled
   The port is an authenticator
   Authentication Mode is Auto
   Port Control Type is Mac-based
   802.1X Multicast-trigger is enabled
   Mandatory authentication domain: domain.org
   Guest VLAN: NOT configured
   Auth-Fail VLAN: NOT configured
   Critical VLAN: NOT configured
   Critical recovery-action: NOT configured
   Voice VLAN: NOT configured
   Max number of on-line users is 1024

   EAPOL Packet: Tx 1254, Rx 230
   Sent EAP Request/Identity Packets : 985
        EAP Request/Challenge Packets: 0
        EAP Success Packets: 0, Fail Packets: 36
   Received EAPOL Start Packets : 30
            EAPOL LogOff Packets: 0
            EAP Response/Identity Packets : 39
            EAP Response/Challenge Packets: 138
            Error Packets: 0
                
   Controlled User(s) amount to 0

 

 

 

Any help would be appreciated.

-JJ