802.1.x guest VLAN problem

Similar Messages

• 802.1X with Guest vlan support IOS version ???

  I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
  please reply to my question.

  Tkank for your help.
  Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
  but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
  ex) TW_14F_A_C2950_32.8#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
  Running Standard Image
  24 FastEthernet/IEEE 802.3 interface(s)
  Model number: WS-C2950-24
  please, reply for my question

• 802.1x Guest Vlan and Routed access layer design

  Hi!
  For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
  Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???

  You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
  The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
  Hope this helps,

• 802.1x Auth-Fail VLAN and Guest-VLan not available

  Hi Pros,
  Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
  I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
  Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
  I found this link on Cisco's site:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
  That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
  EZVPN_Remote(config-if)#int fa1
  EZVPN_Remote(config-if)#dot
  EZVPN_Remote(config-if)#dot1?
  dot1q
  EZVPN_Remote(config-if)#dot1
  EZVPN_Remote(config-if)#int vlan1
  EZVPN_Remote(config-if)#dot1x ?
    default           Configure Dot1x with default values for this port
    host-mode         Set the Host mode for 802.1x on this interface
    max-reauth-req    Max No.of Reauthentication Attempts
    max-req           Max No.of Retries
    pae               Set 802.1x interface pae type
    port-control      set the port-control value
    reauthentication  Enable or Disable Reauthentication for this port
    timeout           Various Timeouts
  Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
  EZVPN_Remote#sh ver
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Tue 12-Jul-11 21:02 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  EZVPN_Remote uptime is 6 hours, 1 minute
  System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
  System restarted at 14:52:47 UTC Thu Oct 13 2011
  System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
  Last reload type: Normal Reload
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
  Processor board ID FTX153482GK
  5 FastEthernet interfaces
  1 Virtual Private Network (VPN) Module
  256K bytes of non-volatile configuration memory.
  126000K bytes of ATA CompactFlash (Read/Write)
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        CISCO881-SEC-K9       xxxxxxxx
  License Information for 'c880-data'
      License Level: advipservices   Type: Permanent
      Next reboot license Level: advipservices
  Thanks in advance!

  Shamless bump...

• 802.1X un-authenticated user and guest VLAN

  Is there an option for 802.1X wired network to put any un-authenticated user onto the guest VLAN instead of no access? Thanks.

  You can read more about "802.1X authentication failure VLAN" in the release notes for cat 6000 8.4 new features. It may not be in your hardware yet.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4498.htm

• 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

  Hello,
  i have tried to configure a dot1x based Authentication.
  With an single host including guest-vlan, everything works fine.
  But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
  Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
  i have  just tried so...
  interface GigabitEthernet0/4
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 200
  authentication event fail action authorize vlan 99
  authentication event server dead action authorize vlan 121
  authentication event server alive action reinitialize
  authentication host-mode multi-host
  authentication order dot1x
  authentication port-control auto
  authentication periodic
  authentication violation restrict
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  spanning-tree portfast
  Thanks, for any possible solution!

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• Dot1X guest vlan authentication issue..Real Challenge!!

  Hi Guys!
  I would really appreciate if some one could help me find lead on this issue...
  My coporate and Quarantine users dosn't get correct VLAN as soon as i enable Guest VLAN feature..all of them go to guest VLAN...
  Scenario 1
  interface GigabitEthernet3/0/42
  switchport mode access
  authentication port-control auto
  dot1x pae authenticator
  dot1x timeout quiet-period 5
  dot1x timeout tx-period 5
  spanning-tree portfast
  Test Workstation behavior
  802.1X (Corporate) = VLAN 1
  802.1X (Quarantine)= VLAN 20
  Non-802.1X (Guest) = UnAouthorized
  Conclusion
  802.1x authentication is working without the guest VLAN feature
  Scenario 2
  interface GigabitEthernet3/0/42
  switchport mode access
  authentication event no-response action authorize vlan 30
  authentication port-control auto
  dot1x pae authenticator
  dot1x timeout quiet-period 5
  dot1x timeout tx-period 5
  spanning-tree portfast
  Test Workstation behavior
  802.1X (Corporate) = VLAN 30 GuestVlan
  802.1X (Quarantine)= VLAN 30 GuestVlan
  Non-802.1X = VLAN 30 GuestVlan
  Conclusion
  802.1X doesn't work after enabling Guest VLAN feature (no-response)
  Some important notes...
  1) IOS version = c3750-ipbase-mz.122-50.SE.bin the only IOS which supports 10gig modules...
  so i can not test with any other IOS
  2) We had older 3750 100Mpbs switches with same config (we copied the config from old switch to new Switch) and the only command which got change automatically due to IOS change is....
  dot1x guest-vlan 30 (Old IOS syntax) = authentication event no-response action authorize vlan 30 (New IOS syntax)
  so even if you put old command syntax it will get change to new one...
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1176660
  Guys please help me.........

  Just to update you here.......after running some debugs on Swicth i found that....(Scenario-2)
  When we connect 8021X enabled PCs (Coporate users) and Boot them...they initially behave like Non-8021X client while booting and during that time switch puts them in guest vlan but when workstation comes to a state (login prompt)where they start communicating like 8021X client.....switch just fails to put them in appropriate VLANs.. may be due to some time out issues.........I feel like i am very close to get the solution but just wondering which timers need to change or may be i am wrong if there is something else need to be put in...........any way i just shared my things with you....
  Same Workstations are working fine with old swicthes without any problem...it is windows XP SP3

• HQ and Remote Wired Guest VLAN

  Hello all,
  I am having trouble to create a standard condition for Policy Authorization.  Basically there are HQ and remote locations configure for guest access.
  Each location has its own guest vlan.  On ISE the standard rule are:
  Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access
  This rule is working good for HQ.
  Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest
  This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem
  with internal users since the condition is Unknown OR MTL_Devices.  There is no AND condition for this.
  Let me know if anyone has idea or have solved this problem.
  Thank you.

  Hi,
  You need to change the order of your rules, ISE uses the first matched rule from top to bottom, in your case the MTRL is matching the first rule since it is more open than the rule below which has the check for the network device.
  Please change the order and see if this fixes your issue, if this doesnt work, post a screenshot of your policies just to make sure we are on the same page.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Guest VLAN cannot ping gateway

  Hi Sir,
       I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
       wat do you think is the problem? hope you could help on this.
  thanks.
  Regards,
  Neri

  Hi Neri
  The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
  When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
  It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
  Regards
  Roger

• Configuring Guest VLAN on AP541N and UC560

  I have a AP541N connected to a UC560.  We are currently configured for Wireless Voice and Data.  We have added a Guest VLAN, but don't see where in CCA to secure the VLAN from accessing the other other two default VLANs.  Any help would be appreciated.
  Additional Info:
  AP541N-K9-1.7(2)
  UC560  15.0(1)XA2, RELEASE SOFTWARE (fc2)
  CCA 3.0

  https://supportforums.cisco.com/docs/DOC-14855
  We are experincing the exact same problem in our lab.
  There is no way with CCA that the VLANs can be secured. You have to use CLI, howerver once you choose to use CLI for configuration CCA may no longer be used.
  Hope this helps.
  Terry

• Adding a guest VLAN to 1240s

  I have some Cisco 1240 Access Points which are not centrally managed.  I want to add 802.1Q trunking so as to be able to provision a guest VLAN.  But a trick is that these APs are in some very high ceilings.  I would like to provision the new trunking and guest VLAN without having to remove them from the ceiling.  Someone suggested I just make the native VLAN save as existing and make the port to which attaches a trunked port.  But when I did this I lost
  connectivity to the Access Point.  Access came back as soon as I made the switch port an access port.  Can someone suggest a recipe for how I can add the trunking and guest VLAN without having to get into the ceilings to remove them and configure them via console or other?  Thank you. 

  Stephen Rodriguez wrote:Create your config then tftp it to the start config. Then when you are ready reboot the AP and change the switch port. SteveSent from Cisco Technical Support iPhone App
  You can do that but you need to be careful because if there is something wrong with the config and you can't reach the AP then you can't correct the config via tftp back again and you have to unmount the AP.
  It is better you start doing the config with the easist AP to unmount from the ceiling.
  You need to configure sub-interfaces in your current AP to support multiple VLANs.
  Hope those links will help you:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
  https://supportforums.cisco.com/docs/DOC-14496
  Amjad

• WAP551 Guest Wifi problem

  I have just purchased this unit and am struggling with the guest vlan. I have configured the unit with the wizard, set up guest vlan (30) , connected that to a vlan aware switch (GS110TPv2), plugged the AP into a port that tags Vlan 30. The router connects to the switch in this vlan, and hands out an IP address to the client in the expected range for the guest network, but I cant get any internet, or even ping the router when on the guest ssid.
  If connected to the office vlan 1, all works fine.
  I have contacted netgear support and they have said the switch config is ok for what I am trying to achieve, so am now stuck.

  Hello jonmeacham1,
  Thanks for using the Cisco Small Business Support Community. I'm sorry to hear that you are having trouble configuring your Guest Wireless, and I hope that we can help you find a solution.
  I am not familiar with the GS100TPv2-- are you able to configure Layer 3 interfaces on it for each VLAN in order to handle routing, or do you have the switch plugged in to a router that can handle the VLANs?
  I have also looked through our Knowledge Base to find information that might help out with configuring the captive portal itself, and I found the following article that might provide some additional information on setting up Guest Wireless. While not specifically being for your devices, I hope that this will provide some insight into how to handle the routing of VLANs to provide multiple SSIDs access to your internet connection:
  Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches
  Please reply back with any additional information and we will do our best to help resolve your problem!
  If this post solves your issue, please remember to mark your question and resolved and rate any helpful posts to help other members in the community! Thanks!
  Best,
  Gunner

• Auth-fail VLAN vs Guest VLAN

  Hi All,
  What criteria is used to determine whether to use the auth-fail VLAN or the guest VLAN?
  What if a non-802.1x client connects to the port, say a Vendor.... 802.1x doesn't occur, so does it then transition to guest vlan?
  What if a vendor brings in an 802.1x capable PC and connects it... the auth fails, but I'd want the vendor to go into the guest VLAN anyway, Could I give them a temporary username / PW maybe to authenticate with? hmmm...
  Thanks in advance.

  Hello,
       The Auth-Fail VLAN is invoked if an Access-Reject is received from the Radius server for the
       user or machine authentication.  The Auth-Fail VLAN will be invoked after a number of failures
       not after the first authentication failure.  This is a configurable value.
       The Guest VLAN is invoked if not EAPoL traffic is received from the connecting client.
       You can set the Auth-Fail VLAN and the Guest VLAN to the same VLAN ID if you want
       users who come in with the supplicant disabled or someone with invalid credentials (or no credentials).
  --Jesse

• AP 1100 with freeradius VLAN problem

  Hi there.
  I have an installation which consists in a Cisco Access Point 1100 and a freeradius server connected to a LDAP server.
  I want to setup several VLANs and assing them to the users depending on what group they belong to. All the freeradius and LDAP stuff is working, users get authenticated using their user/password stored in LDAP and everything runs smoothly. However, I can't get the AP to assing the VLANs dinamically.
  I pass this Radius attributes (from the freeradius log):
  Tunnel-Medium-Type:1 = 802
  Tunnel-Type:1 = VLAN
  Tunnel-Private-Group-Id:1 = "11"
  Do I have to pass any other attribute? Are there any format errors in the attributes I pass?. I would say they are Ok, but can't tell.
  On the other hand, I could have a problem on the AP1100 configuration. I simply added the VLANs (names and ID, no Native Mode).
  Do I need to tweak any other setting? Is there any kind of filter or something to activate?.
  Thank you very much in advance,

  Hi,
  If the phone is not associating to the AP you need to verify that the configuration on the phone (check under "Network config" tab) is the same than in the AP.
  Verify
  -SSID is set to "specify" and the SSID1 value is the same that what is configured on the AP for that vlan.
  -The "Authentication" selected is the same than in the AP. If it's LEAP verify as well the username/pwd configured. If it's Shared key, doublecheck the Web key under Encryption parameter (it's easy to mistype numbers from 1-3 as they are on same key than A-F).
  If those two are properly configured you will see under "site survey"a list of AP matching SSID and authentication method.
  Make sure as well that non supported features are unchecked on the AP for the vlan where your phones reside(TKIP/MIC,PMIP)

• Dot1x guest VLAN on 2960G

  Hi,
  I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status.
  The server is Juniper IC4500.
  Switch is 2960G, IOS 15.0(1)SE2
  the configuration:
  aaa new-model
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization exec default local
  aaa authorization network default group radius
  dot1x system-auth-control
  dot1x test timeout 30
  dot1x guest-vlan supplicant
  dot1x critical eapol
  interface FastEthernet0/32
  switchport access vlan 28
  switchport mode access
  authentication event fail action authorize vlan 41
  authentication event server dead action authorize vlan 41
  authentication event server dead action authorize voice
  authentication event no-response action authorize vlan 41
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab
  authentication port-control auto
  authentication timer reauthenticate 300
  authentication violation protect
  mab eap
  dot1x pae authenticator
  dot1x timeout quiet-period 5
  dot1x max-req 1
  dot1x max-reauth-req 1
  dot1x max-start 1
  spanning-tree portfast
  Anyone with experience on this pls help.
  Thanks,
  hoanghiep

  forgot to mention that multi-auth do not support actions on either no-response or fail authentication events. So you need to set host-mode to MDA or single host.
  Ref:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1454875