Hello
i have a very strange issue and i guess i have something configured wrong.
Here is my 802.1x config, pretty basic:
aaa port-access gvrp-vlans
aaa port-access authenticator 2/43-2/44
aaa port-access authenticator 2/43 client-limit 10
aaa port-access authenticator active
aaa port-access mac-based 2/43
aaa port-access mac-based 2/43 unauth-vid 2
aaa port-access 2/43 mixed
when i plugin a phone on Port 2/43, Phone boots to proper VLAN (provided by Radius):
show port-access mac-based clients 2/43 detailed
Port Access MAC-Based Client Status Detailed
Client Base Details :
Port : 2/43
Client Status : authenticated
Session Time : 182 seconds
MAC Address : FFFFFF-5cc306
Session Timeout : 0 seconds
IP : n/a
Access Policy Details :
COS Map : Not Defined
In Limit Kbps : Not Set
Untagged VLAN : Not Set
Out Limit Kbps : Not Set
Tagged VLANs : 30
Port Mode : 1000FDx
Auth Mode : User-based
RADIUS ACL List : No Radius ACL List
ok, next step is to connect a laptop with Windows Service "dot3svc" enabled, which works properly as well:
Client Base Details :
Port : 2/43
Client Status : Authenticated
Session Time : 1160 seconds
Client name : host/XX-XX-XX.XX...
Session Timeout : 0 seconds
IP : n/a
MAC Address : FFFFFF-4664aa
Access Policy Details :
COS Map : Not Defined
In Limit Kbps : Not Set
Untagged VLAN : 10
Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 1000FDx
RADIUS ACL List : No Radius ACL List
So both are connected properly:
show port-access clients
Port Access Client Status
Port Client Name MAC Address IP Address Type VLAN
2/43 FFFFFF-5c.. n/a 8021X 30
2/43 host/XX-.. FFFFFF-46.. n/a 8021X 10
2/43 FFFFFF5c.. FFFFFF-5c.. n/a MAC 30
2/43 FFFFFF-46.. n/a MAC 10
next step is to disable Windows Service "dot3svc" which should place the client in the "unauth-vid 2", works again as expected:
show port-access mac-based clients 2/43 detailed
Port Access MAC-Based Client Status Detailed
Client Base Details :
Port : 2/43
Client Status : rejected,unauth vlan
Session Time : 25 seconds
MAC Address : 186024-4664aa
Session Timeout : 0 seconds
IP : n/a
Access Policy Details :
COS Map : Not Defined
In Limit Kbps : Not Set
Untagged VLAN : 2
Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 1000FDx
Auth Mode : User-based
RADIUS ACL List : No Radius ACL List
But when i connect the phone (which authenticated successfully with MAC) and behind the phone a client with Windows Service "dot3svc" disabled, following happens:
show port-access mac-based clients 2/43 detailed
Port Access MAC-Based Client Status Detailed
Client Base Details :
Port : 2/43
Client Status : authenticated
Session Time : 230 seconds
MAC Address : 00085d-5cc306
Session Timeout : 0 seconds
IP : n/a
Access Policy Details :
COS Map : Not Defined
In Limit Kbps : Not Set
Untagged VLAN : Not Set
Out Limit Kbps : Not Set
Tagged VLANs : 30
Port Mode : 1000FDx
Auth Mode : User-based
RADIUS ACL List : No Radius ACL List
Client Base Details :
Port : 2/43
Client Status : rejected no vlan
Session Time : 45 seconds
MAC Address : 186024-4664aa
Session Timeout : 0 seconds
IP : n/a
Access Policy Details :
COS Map : Not Defined
In Limit Kbps : Not Set
Untagged VLAN : Not Set
Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 1000FDx
Auth Mode : User-based
RADIUS ACL List : No Radius ACL List
for some reason the client does not get the unauth-vlan assigned, instead "Client Status : rejected no vlan"
Anyone an idea what i am missing?
thanks a lot in advance