HPE Community
Switches, Hubs, and Modems
1752808 Members
5905 Online
108789 Solutions
New Discussion юеВ

Re: dot1x - vlan status down

 
mazek
New Member

тАО01-17-2009 01:15 PM

тАО01-17-2009 01:15 PM

dot1x - vlan status down

Hi,

I'm setting up simple dot1x config on 2626. Authenticated users go to vlan 1. I'm connecting to port 3 a PC that is being authenticated but DHCP requests do not get through.

Authenticated:
# show port-access mac-based 3

Port Access MAC-Based Status

Authenticated Unauthenticated Current
Port Clients Clients VLAN ID
---- ------------- --------------- --------
3 1 0 1

But port status is down:
# show vlans 1

Status and Counters - VLAN Information - Ports - VLAN 1

802.1Q VLAN ID : 1
Name : DEFAULT_VLAN
Status : Port-based Voice : No

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
...
3 WEBMAC Learn Down
....

Overridden Port VLAN configuration

Port Mode
---- ------------
3 Untagged


any idea?


Some more info:

# show port-access mac-based clients

Port Access MAC-Based Client Status

Port MAC Address Session Status Time
---- ------------- --------------------- --------
3 00c09f-5b372e authenticated 88


# show port-access mac-based 3 config detail

Port Access MAC-Based Detailed Configuration

Port : 3 MAC-based enabled : Yes
Client Limit : 32 Client Moves : Yes
Logoff Period : 300 Re-Auth Period : 0

Unauth VLAN ID : 111 Auth VLAN ID : 1

Max Requests : 3 Quiet Period : 60
Server Timeout : 30
0 Kudos
5 REPLIES 5
mazek
New Member

тАО01-17-2009 01:37 PM

тАО01-17-2009 01:37 PM

Re: dot1x - vlan status down

One more thing from logs:

ports: port 3 is Blocked by AAA


What could be wrong?
0 Kudos
Jeff Carrell
Honored Contributor

тАО01-17-2009 07:40 PM

тАО01-17-2009 07:40 PM

Re: dot1x - vlan status down

plz provide switch config...

thanx...jeff
0 Kudos
mazek
New Member

тАО01-18-2009 02:41 AM

тАО01-18-2009 02:41 AM

Re: dot1x - vlan status down

Config is pretty simple:

interface 3
no lacp
exit

vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 10.0.1.101 255.255.255.0
exit
vlan 111
name "null-vlan"
exit
aaa authentication port-access eap-radius
radius-server host 10.0.1.100 key test
aaa port-access authenticator 3-8
aaa port-access authenticator active
aaa port-access mac-based 3-8
aaa port-access mac-based 3 addr-limit 32
aaa port-access mac-based 3 addr-moves
aaa port-access mac-based 3 auth-vid 1
aaa port-access mac-based 3 unauth-vid 111
0 Kudos
Jeff Carrell
Honored Contributor

тАО01-18-2009 10:36 AM

тАО01-18-2009 10:36 AM

Re: dot1x - vlan status down

hmmm...

what radius server are you using? altho i agree it looks like it should be working...

of course the other question, is the dhcp server connected to one of the non-802.1X (1-2, 9-26) ports, and can ping the switch?

and another tidbit, mac-auth will take precedence on a port over std 802.1X...

hth...jeff
0 Kudos
mazek
New Member

тАО01-18-2009 11:51 AM

тАО01-18-2009 11:51 AM

Re: dot1x - vlan status down

No idea what was the problem but it works now:

interface 5
no lacp
exit

vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 10.0.1.101 255.255.255.0
exit
vlan 111
name "null-vlan"
exit

aaa port-access mac-based 5
aaa port-access mac-based 5 addr-limit 32
aaa port-access mac-based 5 addr-moves
aaa port-access mac-based 5 auth-vid 1
aaa port-access mac-based 5 unauth-vid 111

thx
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.