I have a deployment of about 150 Cisco 2960X's that have dot1x authentication running on them back to a cluster of Windows NPS servers.
This works flawlessly 99% of the time. Anytime we have Windows updates however, I will get 5-10 PCs out of about 2000 that will come back up and pass or fail dot1x but then instead of being placed in the appropriate VLAN, it will be dumped into VLAN 1 which isn't configured on the port anywhere.
We have updated the IOS on some of the switches. We tried rebooting the affected PC as well as unplugging the cable to the switch and plugging it back in, but it will keep coming back and either pass or fail dot1x and land in VLAN 1.
There is nothing in my NPS server logs to indicate anything went wrong.
The only way I can get the switch to assign it to the proper VLAN based on whether it passed or failed dot1x is to default the interface and reconfigure it.
Below is an example of the configuration that exists on essentially every one of these 2960X ports. In some situations the access VLAN that it is used when it passes dot1x is not 20, but otherwise it is identical.
switchport access vlan 20 switchport mode access switchport voice vlan 30 srr-queue bandwidth share 1 30 35 5 priority-queue out no cdp enable authentication control-direction in authentication event fail action authorize vlan 40 authentication event server dead action authorize vlan 20 authentication event server dead action authorize voice authentication event no-response action authorize vlan 40 authentication host-mode multi-domain authentication priority dot1x mab authentication port-control auto authentication violation replace mab mls qos trust dscp dot1x pae authenticator dot1x timeout tx-period 3 auto qos trust dscp spanning-tree portfast edge Thanks in advance.
No comments:
Post a Comment