Solved

Dynamic VLAN Assignment - authentication result overriden for client

Posted on 2014-01-23
4
3,229 Views
Last Modified: 2014-01-29
Hi everyone,

We are trying to set up dynamic vlan assignment based on AD user groups, but so far it's quite not working. At first, machine authentication is performed, and if the machine authenticates successfully then it's placed on vlan 1. User authentication takes place next: domain admins stay in vlan 1, students get placed in vlan 12, and instructors get placed in vlan 13. Machine authent works, and domain admins are able to authenticate without any issues as well, but authentication for students and instructors fails.

The clients are running Windows 7, our RADIUS server is running on WS 2008 R2, and the Cisco switch in question is a 2960-S. We don't have enough wall ports for each machine, so there is also a 5 port unmanaged switch (Cisco SG100D-05) that connects 3 test clients to one port on the 2960. We suspect that the workgroup switch is the problem, but any help on this matter would be greatly appreciated. NPS server log doesn't show any errors, and Cisco config is listed below. Thank you.

Switch config:
aaa new-model
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
dot1x system-auth-control
!
radius-server dead-criteria time 5 tries 10
radius-server host 10.42.10.13 auth-port 1812 acct-port 1813 key 7 pswd
radius-server vsa send authentication

interface GigabitEthernet3/0/10
 switchport mode access
 authentication control-direction in
 authentication host-mode multi-auth
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 dot1x pae authenticator
end

Open in new window


Here is the output on the switch after a user logs in:
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D
dot1x-redundancy: State for client  000f.fe8e.28ef successfully retrieved
dot1x-ev(Gi3/0/10): Received Authz fail for the client  0x42000DF6 (000f.fe8e.28ef)
dot1x-sm(Gi3/0/10): Posting_AUTHZ_FAIL on Client 0x42000DF6
dot1x_auth Gi3/0/10: during state auth_authc_result, got event 22(authzFail)
@@@ dot1x_auth Gi3/0/10: auth_authc_result -> auth_held
0x42000DF6:auth_held_enter called
%DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (000f.fe8e.28ef) on Interface Gi3/0/10 AuditSessionID 0A2A0A180000077329170A2D

Open in new window

0
Comment
Question by:Robert Davis
  • 2
  • 2
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 300 total points
ID: 39806410
0
 
LVL 1

Assisted Solution

by:Robert Davis
Robert Davis earned 0 total points
ID: 39807769
When using multiple authentication, after a vlan is assigned to the first host on the port, the subsequent hosts must use the same vlan or they are denied access to the port. In our case, once the computers are assigned to vlan 1, only users who are also assigned to vlan 1 (domain admins) are then able to successfully log in.
We ended up getting rid of the initial computer authentication, and we are using open authentication on the switch port instead. This way the machines have network access prior to user authentication, but user vlan assignment also works.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39807798
802.1x can be a pain :) I've not had the trouble your describing yet, but I'm sure someone else has. Cisco TAC was able help us in some of the situations, if you can I'd open a case with them. We've had switches that didn't fully support the settings we were trying to do, and had to upgrade the hardware because they were too old.
-rich
0
 
LVL 1

Author Closing Comment

by:Robert Davis
ID: 39817300
Rich put me on the right track, thanks!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Edureka is one of the fastest growing and most effective online learning sites.  We are here to help you succeed.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now