Cisco Nexus 5548 802.1x来宾-VLAN不可用

Question

我正在尝试使用MAC身份验证旁路为802.1x配置一个Cisco Nexus 5548。我发现在身份验证失败时没有配置来宾VLAN的选项。根据这文档，它应该是一个可用的特性。但正如你在下面看到的，它不是一个可用的选项。

Switch(config-if)# dot1x ?
  default            Configure Dot1x with default values for this port
  host-mode          Role of 802.1x authenticating entity
  mac-auth-bypass    Configure Mac-Auth-Bypass
  max-reauth-req     Maximum Re-authentication Attempts Before Failing
  max-req            Maximum Retries to Initiate Authentication
  pae                Role of 802.1x authenticating entity
  port-control       Port control
  re-authentication  Enable or Disable Reauthentication for this port
  timeout            Various Timeouts

我已经启用了功能dot1x。配置了我的radius服务器和预共享密钥。我也添加了所需的aaa声明。

我甚至可以运行：“测试aaa服务器半径x.x测试用户密码”，并且用户帐户成功地进行身份验证。这只是我无法工作的客服-vlan功能。

我在链接文档中注意到：

如果配置了MAB，并且由于MAB而导致身份验证失败，则客户VLAN (如果可用)将被分配为access VLAN。

(如果有的话)，这是什么意思？我是否需要定义一个VLAN，然后将它建立为具有某种参数的Guest？

我要强调的是，这是在Nexus 5548，而不是Nexus 9000系列开关。我读过Nexus9K不支持客服-vlan功能。

这里经过消毒的配置：

!Command: show running-config
!Time: Tue Jan  8 18:40:24 2019

version 7.1(0)N1(1a)
hostname NexusFiveKLab

no feature telnet
feature tacacs+
feature interface-vlan
feature dot1x
feature lacp
feature lldp
feature vtp

username admin password 5 XXXXXX  role network-admin


fips mode enable
no ip domain-lookup
tacacs-server host 172.16.0.11 key 7 "XXXX"
aaa group server tacacs+ SSVR
  server 172.16.0.11
  source-interface Vlan19
radius-server host 192.168.101.11 key 7 "XXXX" authentication accounting
logging event link-status default
policy-map type network-qos jumbo
  class type network-qos class-default
    mtu 9216
    multicast-optimize
system qos
  service-policy type queuing input fcoe-default-in-policy
  service-policy type queuing output fcoe-default-out-policy
  service-policy type qos input fcoe-default-in-policy
  service-policy type network-qos jumbo
snmp-server user admin network-admin auth md5 XXXX priv XXXX localizedkey
snmp-server host 172.16.0.3 traps version 3 auth NET_MONITOR udp-port 30055
snmp-server community 5K_Lab group network-operator
ntp server 192.168.1.1 prefer
ntp source-interface Vlan10
aaa authentication login default group SSVR local
aaa authentication login console group SSVR local
aaa authorization config-commands default group SSVR local
aaa authorization commands default group SSVR local
aaa authentication dot1x default group radius
aaa accounting default group SSVR
aaa authentication login error-enable

spanning-tree vlan 10, 900, 1000 priority 24576
vrf context management
  ip route 0.0.0.0/0 192.168.1.254


interface Vlan1

interface Vlan10
  no shutdown
  ip address 192.168.1.4/25

interface Vlan101
  no shutdown
  ip address 192.168.101.2/24

interface port-channel1
  switchport mode trunk
  switchport trunk allowed vlan 4-5,10,19,119,900,1000
  speed 1000

interface Ethernet1/1
  ***The only port I've configured for dot1x is eth2/16.  All other ports are either access ports or trunk ports.***

interface Ethernet2/16
  description 802.1x Test
  dot1x port-control auto
  dot1x re-authentication
  dot1x max-req 3
  dot1x timeout quiet-period 25
  dot1x timeout re-authperiod 3300
  dot1x timeout tx-period 40
  dot1x timeout server-timeout 60
  dot1x timeout ratelimit-period 10
  dot1x timeout supp-timeout 20
  dot1x pae authenticator
  dot1x mac-auth-bypass 
  no cdp enable
  switchport access vlan 40
  speed 1000

interface mgmt0
  vrf member management
  ip address 192.168.1.2/25
cli alias name w copy system:running-config nvram:startup-config
cli alias name c config t
cli alias name sib show init brief
cli alias name sii show ip int brief
line console
line vty
boot kickstart bootflash:/n5000-uk9-kickstart.7.1.0.N1.1a.bin
boot system bootflash:/n5000-uk9.7.1.0.N1.1a.bin
ip radius source-interface Vlan101

Answer 1

我已经了解到，开关至少需要在7.2(0)N1版本上。根据发布说明，这是添加了“基于MAC的认证(MAB)的动态VLAN”的版本。一旦我升级到那个版本，"dot1x来宾-vlan“选项就可以使用了。

参见发行说明这里。