Alcatel Unleashed

Hello,

I have a customer encountering a problem on his network. Previously, he had a configuration like this :
The problem is, if a guest with a computer (able of 802.1x) is trying to connect, then he will not be redirected to vlan 105 (the guest vlan). Until now, nothing wrong...
But, he tried to change the configuration to something like that :
And the syntax seems to be not correct. Do you have any ideas on how to proceed ?

Thank you for your help,

Regards,

Damien

Dear Damien,

If you want to achieve that, if the 802.1x authentication fails, the Guest is not able to communicate - then you need to use the "fail block" statement.

You're using the "pass" statement twice ...
802.1x 1/1 supplicant policy authentication pass default-vlan fail vlan 105 pass

I don't understand yet what you want to achieve ..

You posted the correct syntax already ..
802.1x 1/1 supplicant policy authentication pass default-vlan fail vlan 105 block

If a supplicant is getting connected and that supplicant fails the 802.1x authentication, it will be placed in vlan 105.
Please note that vlan 105 needs to exist on that switch, otherwise the user will not be able to communicate.

Benny

Hi Damien,
the syntax isn't easy to understand.
correct is: 802.1x 1/1 supplicant policy authentication pass default-vlan fail vlan 105 block
you can separate this supplicant policy in two parts
.... authentication pass.....
and ... authentication fail ......

If there are more than one option after the keyword pass/fail than the first will be used (first matching rule). So in your case block isn't use because the traffic is associated to vlan 105. The block is per default the last keyword after fail. But if you have forgotten to create vlan 105 in your switch than block will be used..
regards
Silvio

Hello you both, and thank you for your time !

@Benny :

If a supplicant is getting connected and that supplicant fails the 802.1x authentication, it will be placed in vlan 105.

The problem is that, actually, when a foreign computer is trying to connect, it is not allowed with 802.1x (this is ok) but it is not placed in vlan 105 even with :
That's why the customer thought that he had to modify the last statement as "pass".

The vlan 105 does exist on this equiment :
What the customer wants to achieve is : Someone comes with his own computer, he tries to connect on the lan, 802.1x is rejecting but he's placed in vlan 105 so that he can have access to some features.


@Silvio :
The problem is actually people don't get access to vlan 105 even if this one is present on this equipment (see above)

I hope I'm clear enough, as I really don't master this part..

Hi,
are you sure that the other computers are supplicants? If not you have to use the non-supplicant.....

For more understanding the config use the command:
> show 802.1x device classification policies

For checking the active users (authentication pass and fail) you can use:
> show aaa-device all-users
> show 802.1x users

regards
Silvio

Hi,

You'll find attached the logs you asked for. I tried to analyse it, but didn't find anything wrong. Maybe I'm not good enough to.

I just find strange to have in the fail statement : vlan 105, block.