Hi everyone.
I've got an issue about dot1x configuration with PowerConnect 5548 switch.
I configured a port like that :
interface gigabitethernet1/0/4
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x mac-authentication mac-only
dot1x radius-attributes vlan
dot1x port-control auto
Also, I configured dot1x violation mode to protect. So, I imagine that, when a MAC address cannot be authentified, the interface that is in dot1x violation mode will drop the packets.
My Radius authentication is working well.
When I make the test, I obtained these messages:
pwr5548(config)# 18-Nov-2006 17:14:10 %LINK-W-Down: gi1/0/4
18-Nov-2006 17:14:19 %LINK-I-Up: gi1/0/4
18-Nov-2006 17:15:09 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC XX:XX:XX:XX:XX was rejected on port gi1/0/4 due to wrong user name or password in Radius server
So I guess it's working like I wanted.
But I can obtain an address from my DHCP server, even if I configured dot1x violation mode to protect. I suppose this is not a normal behaviour.
Why doesn't dot1x violation mode drop packets ?
I also tried it with shutdown option, but the interface didn't turn off.
Here the show run of my switch :
pwr5548(config)# do sh run
vlan database
vlan 10,20,30,40,50,60,70,77,80,90,100
exit
voice vlan oui-table add 000181 Nortel__________________
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 001049 Shoretel________________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00907a Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
gvrp enable
iscsi target port 860 address 0.0.0.0
iscsi target port 3260 address 0.0.0.0
iscsi target port 9876 address 0.0.0.0
iscsi target port 20002 address 0.0.0.0
iscsi target port 20003 address 0.0.0.0
iscsi target port 25555 address 0.0.0.0
hostname pwr5548
radius-server host 192.168.12.17
radius-server key XXXXXXXX
aaa authentication login default local
aaa authentication dot1x default radius
line telnet
password 6e949a9a71d9dfb6f903ac979dd79e07b39e4c3f encrypted
exit
enable password level 15 encrypted 6e949a9a71d9dfb6f903ac979dd79e07b39e4c3f
username adminsw password encrypted 6e949a9a71d9dfb6f903ac979dd79e07b39e4c3f
privilege 15
ip ssh server
snmp-server location "PowerConnect 5548"
snmp-server contact "XXXXX"
snmp-server community public ro view Default
!
interface vlan 1
ip address dhcp
!
interface vlan 40
ip address 192.168.12.60 255.255.255.0
!
interface vlan 50
ip address 192.168.13.60 255.255.255.0
!
interface vlan 90
ip address 192.168.17.60 255.255.255.0
!
interface vlan 100
dot1x guest-vlan
!
interface gigabitethernet1/0/1
switchport mode trunk
!
interface gigabitethernet1/0/2
switchport mode trunk
!
interface gigabitethernet1/0/3
switchport access vlan 40
!
interface gigabitethernet1/0/4
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x mac-authentication mac-only
dot1x radius-attributes vlan
dot1x port-control auto
!
The other interfaces are not important
Here is my show dot1x advanced :
pwr5548(config)# do sh dot1x advanced
Guest VLAN: 100
Guest VLAN timeout:
Unauthenticated VLANs:
Radius attributes error handling acl: Reject.
Guest MAC VLAN Legacy-supp Policy
Interface Multiple Hosts VLAN Authentication Assignment Mode Assignment
----------- -------------- -------- -------------- ---------- ----------- ----------
gi1/0/1 Enabled Disabled Disabled Disabled Disabled Disabled
gi1/0/2 Enabled Disabled Disabled Disabled Disabled Disabled
gi1/0/3 Enabled Disabled Disabled Disabled Disabled Disabled
gi1/0/4 Authenticate Disabled MAC-only Enabled Disabled Disabled
To sum up, my question is:
Why dot1x violation mode doesn't work ?
Thank you very much for your replies.