Solved

Dynamic VLAN Assignment - authentication result overriden for client

Posted on 2014-01-23
4
3,141 Views
Last Modified: 2014-01-29
Hi everyone,

We are trying to set up dynamic vlan assignment based on AD user groups, but so far it's quite not working. At first, machine authentication is performed, and if the machine authenticates successfully then it's placed on vlan 1. User authentication takes place next: domain admins stay in vlan 1, students get placed in vlan 12, and instructors get placed in vlan 13. Machine authent works, and domain admins are able to authenticate without any issues as well, but authentication for students and instructors fails.

The clients are running Windows 7, our RADIUS server is running on WS 2008 R2, and the Cisco switch in question is a 2960-S. We don't have enough wall ports for each machine, so there is also a 5 port unmanaged switch (Cisco SG100D-05) that connects 3 test clients to one port on the 2960. We suspect that the workgroup switch is the problem, but any help on this matter would be greatly appreciated. NPS server log doesn't show any errors, and Cisco config is listed below. Thank you.

Switch config:
aaa new-model
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
dot1x system-auth-control
!
radius-server dead-criteria time 5 tries 10
radius-server host 10.42.10.13 auth-port 1812 acct-port 1813 key 7 pswd
radius-server vsa send authentication

interface GigabitEthernet3/0/10
 switchport mode access
 authentication control-direction in
 authentication host-mode multi-auth
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 dot1x pae authenticator
end

Open in new window


Here is the output on the switch after a user logs in:
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D
dot1x-redundancy: State for client  000f.fe8e.28ef successfully retrieved
dot1x-ev(Gi3/0/10): Received Authz fail for the client  0x42000DF6 (000f.fe8e.28ef)
dot1x-sm(Gi3/0/10): Posting_AUTHZ_FAIL on Client 0x42000DF6
dot1x_auth Gi3/0/10: during state auth_authc_result, got event 22(authzFail)
@@@ dot1x_auth Gi3/0/10: auth_authc_result -> auth_held
0x42000DF6:auth_held_enter called
%DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D

Open in new window

0
Comment
Question by:Robert Davis
  • 2
  • 2
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 300 total points
Comment Utility
0
 
LVL 1

Assisted Solution

by:Robert Davis
Robert Davis earned 0 total points
Comment Utility
When using multiple authentication, after a vlan is assigned to the first host on the port, the subsequent hosts must use the same vlan or they are denied access to the port. In our case, once the computers are assigned to vlan 1, only users who are also assigned to vlan 1 (domain admins) are then able to successfully log in.
We ended up getting rid of the initial computer authentication, and we are using open authentication on the switch port instead. This way the machines have network access prior to user authentication, but user vlan assignment also works.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
802.1x can be a pain :) I've not had the trouble your describing yet, but I'm sure someone else has. Cisco TAC was able help us in some of the situations, if you can I'd open a case with them. We've had switches that didn't fully support the settings we were trying to do, and had to upgrade the hardware because they were too old.
-rich
0
 
LVL 1

Author Closing Comment

by:Robert Davis
Comment Utility
Rich put me on the right track, thanks!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Resolve DNS query failed errors for Exchange
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now