Solved

Dynamic VLAN Assignment - authentication result overriden for client

Posted on 2014-01-23
4
3,490 Views
Last Modified: 2014-01-29
Hi everyone,

We are trying to set up dynamic vlan assignment based on AD user groups, but so far it's quite not working. At first, machine authentication is performed, and if the machine authenticates successfully then it's placed on vlan 1. User authentication takes place next: domain admins stay in vlan 1, students get placed in vlan 12, and instructors get placed in vlan 13. Machine authent works, and domain admins are able to authenticate without any issues as well, but authentication for students and instructors fails.

The clients are running Windows 7, our RADIUS server is running on WS 2008 R2, and the Cisco switch in question is a 2960-S. We don't have enough wall ports for each machine, so there is also a 5 port unmanaged switch (Cisco SG100D-05) that connects 3 test clients to one port on the 2960. We suspect that the workgroup switch is the problem, but any help on this matter would be greatly appreciated. NPS server log doesn't show any errors, and Cisco config is listed below. Thank you.

Switch config:
aaa new-model
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
dot1x system-auth-control
!
radius-server dead-criteria time 5 tries 10
radius-server host 10.42.10.13 auth-port 1812 acct-port 1813 key 7 pswd
radius-server vsa send authentication

interface GigabitEthernet3/0/10
 switchport mode access
 authentication control-direction in
 authentication host-mode multi-auth
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 dot1x pae authenticator
end

Open in new window


Here is the output on the switch after a user logs in:
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D
dot1x-redundancy: State for client  000f.fe8e.28ef successfully retrieved
dot1x-ev(Gi3/0/10): Received Authz fail for the client  0x42000DF6 (000f.fe8e.28ef)
dot1x-sm(Gi3/0/10): Posting_AUTHZ_FAIL on Client 0x42000DF6
dot1x_auth Gi3/0/10: during state auth_authc_result, got event 22(authzFail)
@@@ dot1x_auth Gi3/0/10: auth_authc_result -> auth_held
0x42000DF6:auth_held_enter called
%DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D

Open in new window

0
Comment
Question by:Robert Davis
  • 2
  • 2
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 300 total points
ID: 39806410
0
 
LVL 1

Assisted Solution

by:Robert Davis
Robert Davis earned 0 total points
ID: 39807769
When using multiple authentication, after a vlan is assigned to the first host on the port, the subsequent hosts must use the same vlan or they are denied access to the port. In our case, once the computers are assigned to vlan 1, only users who are also assigned to vlan 1 (domain admins) are then able to successfully log in.
We ended up getting rid of the initial computer authentication, and we are using open authentication on the switch port instead. This way the machines have network access prior to user authentication, but user vlan assignment also works.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39807798
802.1x can be a pain :) I've not had the trouble your describing yet, but I'm sure someone else has. Cisco TAC was able help us in some of the situations, if you can I'd open a case with them. We've had switches that didn't fully support the settings we were trying to do, and had to upgrade the hardware because they were too old.
-rich
0
 
LVL 1

Author Closing Comment

by:Robert Davis
ID: 39817300
Rich put me on the right track, thanks!
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Alot of sessions on a PC is generated 3 76
Cisco router external connection issues. 6 30
Application timeout 4 37
Citrix App 7 23
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question