Unsolved
32 Posts
0
932
May 16th, 2022 23:00
N2048P and N1548P Guest VLAN Assignment Issues
Hi Team,
I've run in to an issue where clients are getting a Guest VLAN assigned. This should not happen because my radius server is assigning a correct vlan for each client connecting. Under what circumstances does a client get assigned to a guest VLAN? And what port configuration is triggering guest vlan 40 in my case?
SWITCH#show authentication clients all
Interface MAC-Address Method Host Mode Control Mode VLAN Assigned Reason
--------- ----------------- ------- ------------------------ ------------ --------------------------
~~SNIP~~
Gi3/0/32 ~MAC-Address #1~ 802.1X multi-domain auto RADIUS Assigned VLAN (40)
Gi3/0/34 ~MAC-Address #2~ mab multi-domain auto RADIUS Assigned VLAN (4)
Gi3/0/37 ~MAC-Address #3~ 802.1X multi-auth auto RADIUS Assigned VLAN (40)
Gi3/0/37 ~MAC-Address #4~ mab multi-auth auto RADIUS Assigned VLAN (4)
Gi3/0/37 ~MAC-Address #5~ none multi-auth auto Guest VLAN (40)
Gi3/0/37 ~MAC-Address #6~ none multi-auth auto Guest VLAN (40)
Gi3/0/37 ~MAC-Address #7~ none multi-auth auto Guest VLAN (40)
~~SNIP~~
SWITCH#show authentication statistics gigabitethernet 3/0/37
Port........................................... Gigabitethernet 3/0/37
802.1X attempts................................ 1134
802.1X failed attempts......................... 626
MAB attempts................................... 1191
MAB failed attempts............................ 385
Captive-portal attempts........................ 0
Captive-portal failed attempts................. 0
SWITCH#show running-config interface gigabitethernet 3/0/37
description "NAC ENABLED"
spanning-tree portfast
switchport mode general
authentication host-mode multi-auth
authentication event fail action authorize vlan 40
authentication event no-response action authorize vlan 40
authentication event server dead action authorize vlan 40
authentication event server alive action reinitialize
authentication periodic
dot1x timeout tx-period 1
dot1x max-reauth-req 3
dot1x max-req 3
mab
authentication order dot1x mab
authentication priority dot1x mab
DELL-Erman O
Moderator
•
2.8K Posts
0
May 17th, 2022 06:00
Hi, I found some informations refer pg 318 https://dell.to/3MoooHH
"Hosts that fail authentication may be denied access to the network or placed into an unauthenticated VLAN, if configured. Hosts that do not attempt authentication may be placed into a guest VLAN, if configured. The network administrator can configure the type of access provided to the authenticated, guest, and unauthenticated VLANs."
console(config-if)#dot1x guest-vlan 40
console(config-if)#exit
Also you can overlook pg 320 Guest VLAN https://dell.to/3MoooHH
please check page 986 https://dell.to/37VfJNY
might be help increase dot1x timeout guest-vlan-period
you can check guest vlan pg 988 https://dell.to/37VfJNY
show dot1x advanced gigabitethernet 3/0/37
Hope that helps!
lk2819
32 Posts
0
May 18th, 2022 01:00
Hi Erman,
Thank you for you reply. The guide states: "Hosts that fail authentication may be denied access to the network or placed into an unauthenticated VLAN, if configured. ..." however I haven't configured a guest VLAN on this interface, as you can see in my original post.
I've debugged the interface config (set different VLAN IDs) to see which command is issuing the 'Guest VLAN', and it turns out its hitting 'authentication event no-response action authorize vlan':
Is there a way to debug when and why it hits no-response? Do you have any tips?
DELL-Erman O
Moderator
•
2.8K Posts
0
May 18th, 2022 02:00
Hi, I looked at the show interface commands in the CLI guide, but it looks like we won't be able to see a log of when it happened with them. I think the closest debug method would be "show tech-support" command. Because it combines all of these commands and shows
• show interfaces transceiver
• show power inline
• show switch stack-port counters
• show nsf
• show slot
• show interfaces advertise
• show interfaces advanced firmware
• show lldp remote-device all
• show interfaces counters errors
• show fiber-ports optical-transceiver
• show process cpu
• show ethernet cfm errors (N4000 series only)
• show power inline firmware-version
• show version
• show interfaces transceiver properties