Hello all, I am struggling with the way the Guest Vlan is handled in dot1x. All the port states work just fine, except during workstation boot-up the switch does not receive dot1x packets from workstation dot1x client hence forcing the port to fall into Guest Vlan, as below:
============================================= C3560#sh authentication sessions interface fa0/38 Interface: FastEthernet0/38 MAC Address: Unknown IP Address: Unknown User-Name: UNRESPONSIVE Status: Authz Success Domain: DATA Oper host mode: multi-host Oper control dir: both Authorized By: Guest Vlan Vlan Policy: 330 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A821A5C00003727DE21D3A1 Acct Session ID: 0x000045A8 Handle: 0x63000727 Runnable methods list: Method State dot1x Failed over ============================================== Once PC and its dot1x client or supplicant is up and running the port status does not change as I would expect - to production Vlan. The only remedy here is to shut / no shut the port. port config: ==================== interface FastEthernet0/38 switchport access vlan 100 switchport mode access switchport voice vlan 500 priority-queue out authentication event fail action authorize vlan 330 authentication event server dead action authorize vlan 100 authentication event no-response action authorize vlan 330 <= it works without this command for compliant users, however non-compliant guest machines would not be allowed any network connectivity at all authentication event server alive action reinitialize authentication port-control auto authentication periodic authentication timer restart 20 authentication timer reauthenticate 20 authentication timer inactivity 120 mls qos trust device cisco-phone mls qos trust cos dot1x pae authenticator dot1x timeout server-timeout 100 dot1x timeout tx-period 2 dot1x timeout supp-timeout 10 spanning-tree portfast end =========================== Many thanks for any hints, Pavel Skovajsa _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/