★ Dot1x + MAC AUTH are not working together

SW—ip phone--PC   

Customer feedback: When the device is configured with mac+dotx authentication at the same time, the mac authentication can be authenticated normally, but the 1x authentication cannot be successfully uploaded. If only any one type of authentication is retained, it can be successfully authenticated.

Check the configuration under the interface is as following:

interface GigabitEthernet1/0/7

port link-mode bridge

port link-type trunk

port trunk permit vlan 1 to 1000

port trunk pvid vlan 900

undo stp enable

mac-address max-mac-count 4

poe enable

dot1x

undo dot1x handshake

dot1x mandatory-domain dot1x

undo dot1x multicast-trigger

dot1x unicast-trigger

mac-authentication

mac-authentication domain mac

mac-authentication parallel-with-dot1x

Debug dot1x has the following log of authorization failures.

*Jan  1 03:46:19:727 2021 il_82 DOT1X/7/EVENT: User failed to come online (UserMAC=e411-5b29-XXXX, VLANID=900, Interface=GigabitEthernet1/0/7). Reason: Authorization failure.

Authentication cannot be passed properly using local authorization or no authorization.

domain dot1x

authentication lan-access radius-scheme dot1x

authorization lan-access local

accounting lan-access none

Step 1. Change the port type as hybird port.

Step 2. Since the active vlan on the ports are various, for example the mac auth would use vlan 900 and the dot1x auth would use authorized vlan 901, the 'mac-vlan enable' is required for this scenario.

Step 3. The authorized vlan shoud be untagged on the hybird port.

The final configuration is as following:

interface GigabitEthernet1/0/7
port link-mode bridge
port link-type hybrid
port hybrid vlan 1 555 820 902 to 903 tagged
port hybrid vlan 900 to 901 untagged
port hybrid pvid vlan 900
mac-vlan enable
stp edged-port
poe enable
dot1x
undo dot1x handshake
dot1x mandatory-domain dot1x
mac-authentication
mac-authentication domain mac
mac-authentication parallel-with-dot1x