Solved

Dynamic VLAN Assignment - authentication result overriden for client

Posted on 2014-01-23
4
3,560 Views
Last Modified: 2014-01-29
Hi everyone,

We are trying to set up dynamic vlan assignment based on AD user groups, but so far it's quite not working. At first, machine authentication is performed, and if the machine authenticates successfully then it's placed on vlan 1. User authentication takes place next: domain admins stay in vlan 1, students get placed in vlan 12, and instructors get placed in vlan 13. Machine authent works, and domain admins are able to authenticate without any issues as well, but authentication for students and instructors fails.

The clients are running Windows 7, our RADIUS server is running on WS 2008 R2, and the Cisco switch in question is a 2960-S. We don't have enough wall ports for each machine, so there is also a 5 port unmanaged switch (Cisco SG100D-05) that connects 3 test clients to one port on the 2960. We suspect that the workgroup switch is the problem, but any help on this matter would be greatly appreciated. NPS server log doesn't show any errors, and Cisco config is listed below. Thank you.

Switch config:
aaa new-model
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
dot1x system-auth-control
!
radius-server dead-criteria time 5 tries 10
radius-server host 10.42.10.13 auth-port 1812 acct-port 1813 key 7 pswd
radius-server vsa send authentication

interface GigabitEthernet3/0/10
 switchport mode access
 authentication control-direction in
 authentication host-mode multi-auth
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 dot1x pae authenticator
end

Open in new window


Here is the output on the switch after a user logs in:
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D
dot1x-redundancy: State for client  000f.fe8e.28ef successfully retrieved
dot1x-ev(Gi3/0/10): Received Authz fail for the client  0x42000DF6 (000f.fe8e.28ef)
dot1x-sm(Gi3/0/10): Posting_AUTHZ_FAIL on Client 0x42000DF6
dot1x_auth Gi3/0/10: during state auth_authc_result, got event 22(authzFail)
@@@ dot1x_auth Gi3/0/10: auth_authc_result -> auth_held
0x42000DF6:auth_held_enter called
%DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D

Open in new window

0
Comment
Question by:Robert Davis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 300 total points
ID: 39806410
0
 
LVL 1

Assisted Solution

by:Robert Davis
Robert Davis earned 0 total points
ID: 39807769
When using multiple authentication, after a vlan is assigned to the first host on the port, the subsequent hosts must use the same vlan or they are denied access to the port. In our case, once the computers are assigned to vlan 1, only users who are also assigned to vlan 1 (domain admins) are then able to successfully log in.
We ended up getting rid of the initial computer authentication, and we are using open authentication on the switch port instead. This way the machines have network access prior to user authentication, but user vlan assignment also works.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39807798
802.1x can be a pain :) I've not had the trouble your describing yet, but I'm sure someone else has. Cisco TAC was able help us in some of the situations, if you can I'd open a case with them. We've had switches that didn't fully support the settings we were trying to do, and had to upgrade the hardware because they were too old.
-rich
0
 
LVL 1

Author Closing Comment

by:Robert Davis
ID: 39817300
Rich put me on the right track, thanks!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VOIP gateways - feedback 23 120
Add GoToMeeting Invites Rooms to Exchange Conference Rooms 2 56
AT&T sip management portal 7 28
Setting up two DCs 4 45
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
An article on effective troubleshooting
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question