What does mean addr mode = blk?

[Deepmind]

Hi,

I use 802.1x and when I run "show aaa-device all-users", there is an "addr mode" column with sometimes the value "Blk".

Here is an example:

Code: Select all

Slot  MAC               User                 Addr IP          Authentication User Network
Port  Address           Name            Vlan Mode Address        Type Result Profile Name
-----+-----------------+---------------+----+----+---------------+----+----+---------------
 1/18 00:1a:e8:6f:04:58              --    0 Blk  -               MAC  Pass -

I looked in the documentation and google to know what it means and why it appears but I found no informations.

Configuration is:

Code: Select all

vlan 20 name Users
vlan 150 name Guests

vlan 20 port default 1/18
vlan port mobile 1/18
vlan port 1/18 default vlan restore disable
vlan port 1/18 802.1x enable

aaa radius-server "Radius" host 10.0.0.254 key SECRET retransmit 3 timeout 2 auth-port 1812 acct-port 1813
aaa authentication default "local"
aaa authentication 802.1x "Radius"
aaa authentication mac "Radius"

802.1x 1/18 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/18 captive-portal session-limit 12 retry-count 3
802.1x 1/18 captive-portal inactivity-logout disable
802.1x 1/18 supp-polling retry 2
802.1x 1/18 supplicant policy authentication pass default-vlan fail vlan 150 block
802.1x 1/18 non-supplicant policy authentication pass default-vlan fail vlan 150 block
802.1x 1/18 captive-portal policy authentication pass default-vlan fail block

I checked Radius log, result was access-accept.
I tryied to "vlan 20 port default 1/18" again.
I tryied to reboot the device then the switch, same result.

I imagine the switch didn't find the default vlan and so went to the block state.

1) Am i right?
2) How to solve this?
3) what does "addr mode = blk" means?

[silvio]

What is the output of:
> aaa test-radius-server Radius type authentication user 001AE86F0458 password 001AE86F0458 method pap

I think there is a wrong vlan allocation. You are correct. If the radius answer is PASS then the Client will put to the Default vlan.

regards
Silvio

[Deepmind]

Result is "Pass".

I've already seen devices on "80 Blk" and when I Wiresharked, I saw device was tagging its traffic on vlan 80.

But i realy don't understand why "0 Blk" does the device tag its traffic on vlan 0?

[DeichShaf]

You may want to use 'show aaa-device all-users' to get some further information on that particular device.

The difference in output makes it quite clear, that the switch is blocking the device (as you already presumed), since the switch tells you exactly what it is doing with that device here.


We had a similar problem here: OS 6850 -> Customer premises equipment -> respective device

If the CPE was malconfigured, the respective device was correctly connected, had RADIUS result "PASS" and however was put into a different VLAN. For example: desired VLAN ID according to RADIUS would've been 1234 but the CPE was configured to tag packets for that device with ID 0, so the switch put the device into VLAN 0 and blocks it - blocking according to your rules since desired and actual VLAN ID don't match.

Keep in mind that you may have to disconnect and reconnect the device in order to have it re-authenticated.

[Deepmind]

Ok, thank you for the input.

[aeon]

Hello, sorry to ask 2 months after the last answer but I have a similar problem with my 802.1x configuration. When I use the following command :

aaa test-radius-server Radius type authentication user 001AE86F0458 password 001AE86F0458 method pap

The answer is "Timeout", means that it failed. I think that's why my 802.1x isn't working and blocks everything. I'm quite new to this kind of configuration. Do someone know where I should start to verify my configuration ?

Thanks