[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Dynamic VLAN Assignment - authentication result overriden for client

Posted on 2014-01-23
4
Medium Priority
?
4,143 Views
Last Modified: 2014-01-29
Hi everyone,

We are trying to set up dynamic vlan assignment based on AD user groups, but so far it's quite not working. At first, machine authentication is performed, and if the machine authenticates successfully then it's placed on vlan 1. User authentication takes place next: domain admins stay in vlan 1, students get placed in vlan 12, and instructors get placed in vlan 13. Machine authent works, and domain admins are able to authenticate without any issues as well, but authentication for students and instructors fails.

The clients are running Windows 7, our RADIUS server is running on WS 2008 R2, and the Cisco switch in question is a 2960-S. We don't have enough wall ports for each machine, so there is also a 5 port unmanaged switch (Cisco SG100D-05) that connects 3 test clients to one port on the 2960. We suspect that the workgroup switch is the problem, but any help on this matter would be greatly appreciated. NPS server log doesn't show any errors, and Cisco config is listed below. Thank you.

Switch config:
aaa new-model
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
dot1x system-auth-control
!
radius-server dead-criteria time 5 tries 10
radius-server host 10.42.10.13 auth-port 1812 acct-port 1813 key 7 pswd
radius-server vsa send authentication

interface GigabitEthernet3/0/10
 switchport mode access
 authentication control-direction in
 authentication host-mode multi-auth
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 dot1x pae authenticator
end

Open in new window


Here is the output on the switch after a user logs in:
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D
dot1x-redundancy: State for client  000f.fe8e.28ef successfully retrieved
dot1x-ev(Gi3/0/10): Received Authz fail for the client  0x42000DF6 (000f.fe8e.28ef)
dot1x-sm(Gi3/0/10): Posting_AUTHZ_FAIL on Client 0x42000DF6
dot1x_auth Gi3/0/10: during state auth_authc_result, got event 22(authzFail)
@@@ dot1x_auth Gi3/0/10: auth_authc_result -> auth_held
0x42000DF6:auth_held_enter called
%DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D

Open in new window

0
Comment
Question by:Robert Davis
  • 2
  • 2
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 900 total points
ID: 39806410
0
 
LVL 1

Assisted Solution

by:Robert Davis
Robert Davis earned 0 total points
ID: 39807769
When using multiple authentication, after a vlan is assigned to the first host on the port, the subsequent hosts must use the same vlan or they are denied access to the port. In our case, once the computers are assigned to vlan 1, only users who are also assigned to vlan 1 (domain admins) are then able to successfully log in.
We ended up getting rid of the initial computer authentication, and we are using open authentication on the switch port instead. This way the machines have network access prior to user authentication, but user vlan assignment also works.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39807798
802.1x can be a pain :) I've not had the trouble your describing yet, but I'm sure someone else has. Cisco TAC was able help us in some of the situations, if you can I'd open a case with them. We've had switches that didn't fully support the settings we were trying to do, and had to upgrade the hardware because they were too old.
-rich
0
 
LVL 1

Author Closing Comment

by:Robert Davis
ID: 39817300
Rich put me on the right track, thanks!
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question