Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

dot1x - vlan status down

mazek
Occasional Visitor

dot1x - vlan status down

Hi,

I'm setting up simple dot1x config on 2626. Authenticated users go to vlan 1. I'm connecting to port 3 a PC that is being authenticated but DHCP requests do not get through.

Authenticated:
# show port-access mac-based 3

Port Access MAC-Based Status

Authenticated Unauthenticated Current
Port Clients Clients VLAN ID
---- ------------- --------------- --------
3 1 0 1

But port status is down:
# show vlans 1

Status and Counters - VLAN Information - Ports - VLAN 1

802.1Q VLAN ID : 1
Name : DEFAULT_VLAN
Status : Port-based Voice : No

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
...
3 WEBMAC Learn Down
....

Overridden Port VLAN configuration

Port Mode
---- ------------
3 Untagged


any idea?


Some more info:

# show port-access mac-based clients

Port Access MAC-Based Client Status

Port MAC Address Session Status Time
---- ------------- --------------------- --------
3 00c09f-5b372e authenticated 88


# show port-access mac-based 3 config detail

Port Access MAC-Based Detailed Configuration

Port : 3 MAC-based enabled : Yes
Client Limit : 32 Client Moves : Yes
Logoff Period : 300 Re-Auth Period : 0

Unauth VLAN ID : 111 Auth VLAN ID : 1

Max Requests : 3 Quiet Period : 60
Server Timeout : 30
5 REPLIES
mazek
Occasional Visitor

Re: dot1x - vlan status down

One more thing from logs:

ports: port 3 is Blocked by AAA


What could be wrong?
Jeff Carrell
Honored Contributor

Re: dot1x - vlan status down

plz provide switch config...

thanx...jeff
mazek
Occasional Visitor

Re: dot1x - vlan status down

Config is pretty simple:

interface 3
no lacp
exit

vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 10.0.1.101 255.255.255.0
exit
vlan 111
name "null-vlan"
exit
aaa authentication port-access eap-radius
radius-server host 10.0.1.100 key test
aaa port-access authenticator 3-8
aaa port-access authenticator active
aaa port-access mac-based 3-8
aaa port-access mac-based 3 addr-limit 32
aaa port-access mac-based 3 addr-moves
aaa port-access mac-based 3 auth-vid 1
aaa port-access mac-based 3 unauth-vid 111
Jeff Carrell
Honored Contributor

Re: dot1x - vlan status down

hmmm...

what radius server are you using? altho i agree it looks like it should be working...

of course the other question, is the dhcp server connected to one of the non-802.1X (1-2, 9-26) ports, and can ping the switch?

and another tidbit, mac-auth will take precedence on a port over std 802.1X...

hth...jeff
mazek
Occasional Visitor

Re: dot1x - vlan status down

No idea what was the problem but it works now:

interface 5
no lacp
exit

vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 10.0.1.101 255.255.255.0
exit
vlan 111
name "null-vlan"
exit

aaa port-access mac-based 5
aaa port-access mac-based 5 addr-limit 32
aaa port-access mac-based 5 addr-moves
aaa port-access mac-based 5 auth-vid 1
aaa port-access mac-based 5 unauth-vid 111

thx