Wireless 802.1X guest VLAN

Similar Messages

• 802.1x Guest Vlan and Routed access layer design

  Hi!
  For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
  Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???

  You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
  The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
  Hope this helps,

• 802.1x Auth-Fail VLAN and Guest-VLan not available

  Hi Pros,
  Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
  I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
  Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
  I found this link on Cisco's site:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
  That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
  EZVPN_Remote(config-if)#int fa1
  EZVPN_Remote(config-if)#dot
  EZVPN_Remote(config-if)#dot1?
  dot1q
  EZVPN_Remote(config-if)#dot1
  EZVPN_Remote(config-if)#int vlan1
  EZVPN_Remote(config-if)#dot1x ?
    default           Configure Dot1x with default values for this port
    host-mode         Set the Host mode for 802.1x on this interface
    max-reauth-req    Max No.of Reauthentication Attempts
    max-req           Max No.of Retries
    pae               Set 802.1x interface pae type
    port-control      set the port-control value
    reauthentication  Enable or Disable Reauthentication for this port
    timeout           Various Timeouts
  Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
  EZVPN_Remote#sh ver
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Tue 12-Jul-11 21:02 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  EZVPN_Remote uptime is 6 hours, 1 minute
  System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
  System restarted at 14:52:47 UTC Thu Oct 13 2011
  System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
  Last reload type: Normal Reload
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
  Processor board ID FTX153482GK
  5 FastEthernet interfaces
  1 Virtual Private Network (VPN) Module
  256K bytes of non-volatile configuration memory.
  126000K bytes of ATA CompactFlash (Read/Write)
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        CISCO881-SEC-K9       xxxxxxxx
  License Information for 'c880-data'
      License Level: advipservices   Type: Permanent
      Next reboot license Level: advipservices
  Thanks in advance!

  Shamless bump...

• 802.1X un-authenticated user and guest VLAN

  Is there an option for 802.1X wired network to put any un-authenticated user onto the guest VLAN instead of no access? Thanks.

  You can read more about "802.1X authentication failure VLAN" in the release notes for cat 6000 8.4 new features. It may not be in your hardware yet.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4498.htm

• 802.1X with Guest vlan support IOS version ???

  I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
  please reply to my question.

  Tkank for your help.
  Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
  but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
  ex) TW_14F_A_C2950_32.8#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
  Running Standard Image
  24 FastEthernet/IEEE 802.3 interface(s)
  Model number: WS-C2950-24
  please, reply for my question

• 802.1.x guest VLAN problem

  Hi,
  I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
  I'm using XP sp2 with:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
  cantModeDWORD Value = 3
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
  deDWORD Value = 0
  Could someone give some help,please.
  Thanks
  BR

  The key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the user’s credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
  As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
  I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
  *machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
  *user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
  *Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
  Hope this helps.

• 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

  Hello,
  i have tried to configure a dot1x based Authentication.
  With an single host including guest-vlan, everything works fine.
  But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
  Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
  i have  just tried so...
  interface GigabitEthernet0/4
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 200
  authentication event fail action authorize vlan 99
  authentication event server dead action authorize vlan 121
  authentication event server alive action reinitialize
  authentication host-mode multi-host
  authentication order dot1x
  authentication port-control auto
  authentication periodic
  authentication violation restrict
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  spanning-tree portfast
  Thanks, for any possible solution!

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• ACS with wireless 802.1x

  We have some AP1100 using 802.1x authentication with a ACS server, that is then looking up users on a windows domain, that is working fine.
  I would like to be able to have a specific group on the ACS that is then maped to a windows group, and when the wireless users try to get authenticated they are only allowed access if they belong to that group.
  In our situation the users could possibly belong to other groups on the ACS, but should not be authenticated when they are in those groups.
  just the one specific to the wireless.
  any ideas ?
  Arni

  You can implement it through NAR OR do dynamic vlan assignment for only one group, all others can fall into guest vlan or restricted vlan
  Following whitepapar can help with NAR:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
  Remember for wireless CLI/DNIS NAR work.
  ~Rohit

• Adding a guest VLAN to 1240s

  I have some Cisco 1240 Access Points which are not centrally managed.  I want to add 802.1Q trunking so as to be able to provision a guest VLAN.  But a trick is that these APs are in some very high ceilings.  I would like to provision the new trunking and guest VLAN without having to remove them from the ceiling.  Someone suggested I just make the native VLAN save as existing and make the port to which attaches a trunked port.  But when I did this I lost
  connectivity to the Access Point.  Access came back as soon as I made the switch port an access port.  Can someone suggest a recipe for how I can add the trunking and guest VLAN without having to get into the ceilings to remove them and configure them via console or other?  Thank you. 

  Stephen Rodriguez wrote:Create your config then tftp it to the start config. Then when you are ready reboot the AP and change the switch port. SteveSent from Cisco Technical Support iPhone App
  You can do that but you need to be careful because if there is something wrong with the config and you can't reach the AP then you can't correct the config via tftp back again and you have to unmount the AP.
  It is better you start doing the config with the easist AP to unmount from the ceiling.
  You need to configure sub-interfaces in your current AP to support multiple VLANs.
  Hope those links will help you:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
  https://supportforums.cisco.com/docs/DOC-14496
  Amjad

• Route Guest VLAN directly to the internet

  All, I am wanting to create a guest SSID/VLAN that is redirected straight to the internet, without any access to our network? I know how to create a guest SSID/VLAN but dont know how to send all traffic on that VLAN directly to the internet? How would the client obtain a DHCP address if its on a VLAN seperate the network?

  Here is how I set up our wireless guest vlan:
  1. I use 802.1x with PEAP to authenticate guests against a MS RADIUS server. Once successful, the AP allows guest to broadcast DHCP request.
  2. My router forward the DHCP request to DHCP server which assign IP and necessary options to guests, using IP helper-address command.
  3. My router has access-lists to prevent guests from accessing any corporate IP addresses (allowing only DHCP broadcasts)
  4. A route-map is configured on the default router on the guest vlan so that it will route all traffic sourced from that vlan out to the Internet. I use "set IP default next-hop xxx.xxx.xxx.xxx" to route the traffic directly to our proxy server or firewall.
  This is not a very user-friendly setup on the client side, because I have to mannually configure guest laptops to do 802.1x w/ PEAP. Sometime it is a pain with work with so many different wireless cards/utilities.
  HTH,
  daniel

• Yet another IAS + 802.1x dynamic vlan question

  hello all
  For the last 18 months or so there's been a steady stream of folks trying to get dynamic assignment of a vlan to a user/group using Microsofts IAS Radius.
  Having searched thru the Netpro archives, I've never found a definitive explaination of how this is done.
  Sure, its almost common knowledge by now that the three attributes 64(Tunnel-Type=vlan), 65(Tunnel-Medium=802) and 81(Tunnel-Private-Group-ID=vlan name) need to be configured on the Radius Server.
  Recently I discovered that IAS on windows 2003 even includes the Radius "tunnel-tag" attribute, so even that can be included now(as =1).
  Still, having done this, and seeing a "debug radius" on a 2950 switch (with newest code) show the the tunnel-tag starts with "01" --- i STIll can't get this darn thing to work.
  Yes, it works for static 802.1x(no vlan assignment) against a XP sp2 client .
  Yes, I included the "aaa authorization network default group radius" statement.
  If I configure a vlan 5 named "Sales" --- nothing works. Not when I configure attribute 81=Sales in IAS, not when I configure "5" in IAS. Heck, I even used hex values--- till I got
  " Attribute 81 6 01000005 " in the debug,
  all sorts of permutations.
  Please Cisco, somebody --- help us out here.
  The fact of the matter is, though ACS is probably the best way to go(it does NAC & FAST), alot of clients say "hey - I've got a perfectly good Radius Server for FREE in Windows".
  Can anybody shed some light on this!

  Here is working IAS settings and switch config:
  Ignore-User-Dialin-Properties 4101 True
  Framed-Protocol 7 PPP
  Service-Type 6 Framed
  Tunnel-Medium-Type 65 802
  Tunnel-Pvt-Group-ID 81 102
  Tunnel-Type 64 VLAN
  Tunnel-Tag 4170 1
  *Note that I have VLAN#, not VLAN name on attribute 81
  aaa new-model
  aaa authentication dot1x default group radius none
  aaa authorization network default group radius none
  aaa accounting dot1x default start-stop group radius
  dot1x system-auth-control
  interface FastEthernet0/1
  switchport access vlan 100
  switchport mode access
  dot1x port-control auto
  dot1x timeout reauth-period 300
  dot1x guest-vlan 997
  dot1x reauthentication
  spanning-tree portfast

• 802.1x Dynamic VLAN Switching Question

  Trying to set up 802.1x dynamic VLAN switching, and have a question. I think I've gotten it working except for one part. The VLAN on a protected interface is never getting switched. I can see an entry in the ACS stating that it applied the appropriate VLAN via RADIUS response, but it never changes on the switch.
  Environment:
  ACS Express 5.0.1
  C3550 running c3550-ipbasek9-mz.122-44.SE6.bin
  Switch config:
  aaa new-model
  aaa group server radius dot1x
  server-private 10.10.1.4 auth-port 1645 acct-port 1646 key 7 071C244F5C0C0D544541
  aaa authentication dot1x default group dot1x
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  interface FastEthernet0/3
  switchport access vlan 3
  switchport mode access
  speed 100
  duplex full
  dot1x pae authenticator
  dot1x port-control auto
  dot1x violation-mode protect
  dot1x timeout tx-period 5
  dot1x timeout supp-timeout 5
  spanning-tree portfast
  ip radius source-interface FastEthernet0/1 vrf default!
  radius-server host 10.10.1.4 auth-port 1645 acct-port 1646 key 7 01000307490E125E731F
  Am I missing something easy?

  It looks like "aaa authorization network default group dot1x" was the missing command I needed to get this working.
  The only issue I'm having now is that if the client fails to meet the authentication requirements, the line status gets set as "down"

• 802.1x Dynamic VLans

  I'm trying to figure out a way to get to 802.1x and Dynamic Vlans.
  I have all types of devices, some login into windows AD some don't.
  Is this possilbe?
  port is setup to use 802.1x. Radius server first checks against AD, then checks for MAC address, if no conditions are met ports is set to a catch all type VLAN and starts forwarding.
  Something like:
  1. A Domain user/PC connects, user login to AD and assigned to a user VLan.
  2. A printer is connected and assigned to a printer VLan.
  3. A guest connects and is assigned to a guest VLan.
  I like to not have to put MAC addresses in for PCs that are members of the the windows domain.

  Hi
  Please find the answers inline:
  1. A Domain user/PC connects, user login to AD and assigned to a user VLan.
  This is possible by using RADIUS extended attributes, to assign VLAN dynamically.. for this to work ,you need to define the radius server host & key on the switch/NAD. then enable dot1x on the switchport, to force authentication through RADIUS.. you can have a NAC client to key-in your AD username/password..  You would need to configure your RADIUS server to send vendor-specific attributes:
  –[64] Tunnel-Type = VLAN
  –[65] Tunnel-Medium-Type = 802
  –[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
  refer to CCO for more info on how the ACS server is configured for sending this info... apart from this on the switch configure "radius-server host x.x.x.x auth-port 1612 key *****" and the appropriate aaa commands to force dot1x to refer to RADIUS "aaa authentication dot1x default radius"
  2. A printer is connected and assigned to a printer VLan.
  For printers, or any non-dot1x compliant device, its general to use MAC authentication Bypass feature.. by doing this we can make sure the ports connecting to printers use the default "Switchport access vlan " configuration on these ports.. with MAB, we add the MAC address of the printer on the ACS server (with pw as mac-address) and make sure the printer is authenticated via the switch.. if you dont want to use MAC address for bypassing dot1x, you can probably disable dot1x on such ports.. similar methodology can be adopted for Servers, which wouldnt need dot1x.. since there are few printers & servers on networks, you can disable dot1x on these ports...
  3. A guest connects and is assigned to a guest VLan.
  This is achieved by using the guest-vlan feature.. guests who dont have dot1x client, will be put on a seperate isolated VLAN called guest vlan.. you can create a vlan say vlan  99 on the switch for guests, and on the switchport configure "dot1x guest-vlan 99" .. this would make sure the guests  are seperated and isolated.. make sure you have vlan ACLs on VLAN 99 to restrict traffic for guest users only to internet, or place them behind DMZ of firewalls... you also have "authentication failure" VLAN which you can enable for production users when they fail authentication...
  Refer to this Guide.. it has all information about 802.1x on switches...
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1270660
  Hope this helps.. all the best..
  Raj

• 871 802.1x with vlan assignment aka dynamic vlan

  you can do vlan assignment on 871W wireless using the local radius server but unfort only LEAP which is N.G.
  I have been pounding on wired 802.1x PEAP (which works) trying to get vlan re-assignment. Have tried with IAS which I am using to do vlan reassignment with the WLC so I have the idea of how it works with IAS. With 871, no go. Have also tried ACS for radius with same results: can't escape the switchport's vlan. With debug radius local you can see the tunnel attributes for reassignment plainly but with debug radius with IAS or ACS, nada.
  Using 12.4(6)T advanced IP.
  I have just seen that 12.4(4)CX2 has "802.1x with vlan reassignment" but the download is MIA. Wonder what's up with that?
  Has anybody got this to work? Any info much appreciated
  Greg Turner

  SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
  802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
  SNMPv3 is supported.
  HTH
  Andy

• Dot1X guest vlan authentication issue..Real Challenge!!

  Hi Guys!
  I would really appreciate if some one could help me find lead on this issue...
  My coporate and Quarantine users dosn't get correct VLAN as soon as i enable Guest VLAN feature..all of them go to guest VLAN...
  Scenario 1
  interface GigabitEthernet3/0/42
  switchport mode access
  authentication port-control auto
  dot1x pae authenticator
  dot1x timeout quiet-period 5
  dot1x timeout tx-period 5
  spanning-tree portfast
  Test Workstation behavior
  802.1X (Corporate) = VLAN 1
  802.1X (Quarantine)= VLAN 20
  Non-802.1X (Guest) = UnAouthorized
  Conclusion
  802.1x authentication is working without the guest VLAN feature
  Scenario 2
  interface GigabitEthernet3/0/42
  switchport mode access
  authentication event no-response action authorize vlan 30
  authentication port-control auto
  dot1x pae authenticator
  dot1x timeout quiet-period 5
  dot1x timeout tx-period 5
  spanning-tree portfast
  Test Workstation behavior
  802.1X (Corporate) = VLAN 30 GuestVlan
  802.1X (Quarantine)= VLAN 30 GuestVlan
  Non-802.1X = VLAN 30 GuestVlan
  Conclusion
  802.1X doesn't work after enabling Guest VLAN feature (no-response)
  Some important notes...
  1) IOS version = c3750-ipbase-mz.122-50.SE.bin the only IOS which supports 10gig modules...
  so i can not test with any other IOS
  2) We had older 3750 100Mpbs switches with same config (we copied the config from old switch to new Switch) and the only command which got change automatically due to IOS change is....
  dot1x guest-vlan 30 (Old IOS syntax) = authentication event no-response action authorize vlan 30 (New IOS syntax)
  so even if you put old command syntax it will get change to new one...
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1176660
  Guys please help me.........

  Just to update you here.......after running some debugs on Swicth i found that....(Scenario-2)
  When we connect 8021X enabled PCs (Coporate users) and Boot them...they initially behave like Non-8021X client while booting and during that time switch puts them in guest vlan but when workstation comes to a state (login prompt)where they start communicating like 8021X client.....switch just fails to put them in appropriate VLANs.. may be due to some time out issues.........I feel like i am very close to get the solution but just wondering which timers need to change or may be i am wrong if there is something else need to be put in...........any way i just shared my things with you....
  Same Workstations are working fine with old swicthes without any problem...it is windows XP SP3