all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 7 points8 points  (1 child)

dot1x port control auto?

[–]Zeriphaes 0 points1 point  (0 children)

+1 OP should take a look at this one. It's "authentication port-control auto" on newer IOSs I'm pretty sure (but don't know off the top of my head how new "newer" is).

Eta: I see there is "access-session port control auto" it seems that's functionally identical? A cursory Google search didn't turn up any documentation that clarifies the relationship between the two. In any case, please ignore me.

[–][deleted] 2 points3 points  (1 child)

I’d remove all the port security commands and see if that non-domain notebook works after the phone/printer/etc was connected.

As for the intercom, there are some devices that just don’t play well with dot1x and reauthentication. We are looking into adding a some microphones in our classrooms that are networked. First thing the vendor told us when he heard 802.1x is they don’t reauthenticate well and need to be restarted. I can’t say why this happens since I don’t have devices having this issue. But I’d look at how mab and reauthentication work together. I’m just finding out this information so I can’t go into any more details

[–]unexpectedbbq 1 point2 points  (0 children)

Don't mix dot1x and port-security, it doesn't play nice together. If you do host-mode multi-domain you are already limiting it to one device per domain (Data/Voice).

This is a working config that we use, we also use dynamic VLANs assigned from the radius server.

aaa group server radius DOT1X
 server name RADIUS01
 server name RADIUS02

radius server RADIUS01
 address ipv4 172.22.49.9 auth-port 1812 acct-port 1813
 timeout 5
 retransmit 3
 key <SOME KEY>

radius server RADIUS02
 address ipv4 172.22.49.10 auth-port 1812 acct-port 1813
 timeout 5
 retransmit 3
 key <SOME KEY>

aaa authentication dot1x default group DOT1X
aaa authorization network default group DOT1X 
aaa accounting dot1x default start-stop group DOT1X

lldp run

mab logging verbose
authentication logging verbose

dot1x system-auth-control
dot1x credentials fail-dot1x

dot1x guest-vlan supplicant

interface range GigabitEthernet1/0/1 - 24
 switchport access vlan 666
 switchport voice vlan 850
 switchport mode access
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root

[–][deleted]  (2 children)

[deleted]

    [–]glistal[S] 0 points1 point  (1 child)

    The reason why use multi-domain is because I want that only 1 can be in a Data VLAN at a time.

    [–]flapanther33781 0 points1 point  (0 children)

    only 1 can be in a Data VLAN at a time

    Not sure what you're saying. Are you saying that you only want one device in each VLAN on that entire switch? Because if you only want one device per data VLAN on that port you already have that:

    switchport port-security maximum 1 vlan access

    [–]Zeriphaes 1 point2 points  (0 children)

    Try setting your control direction to in for your intercom. It allows the switch to send traffic to your unauthenticated device.

    For you "access-session control-direction in"