DOT1x with NONE keyword on AAA authentication
From: gladston@br.ibm.com
Date: Thu Sep 01 2005 - 20:22:29 GMT-3
Trying to understand what happens if configuring 'aaa authentication dot1x default none'.
=================================
quoted
To enable 802.1x port-based authentication, you must enable AAA and specify the authentication method list.
none�Use no authentication. The client is automatically authenticated by the switch without using the information supplied by the client.
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/sw8021x.htm#wp1025133
==================================
Reading this I got the conclusion that, although using 'none', it is necessary to enable AAA.
On the other hand, tests shows that dot1x is enabled even though aaa is not configured.
The part that I am missing is what happens if I had a dot1x client to answer.
Any feedback appreciated.
Tests:
Tests shows that dot1x is asking the client, even though aaa is not configured.
(as there is no client on fa0/24, it defaults to guest vlan after a while)
no aaa new-model
sh run int fa 0/24
interface FastEthernet0/24
switchport access vlan 600
switchport mode access
dot1x port-control auto
dot1x guest-vlan 60
deb dot1x all
Rack2CAT1(config)#int fa 0/24
Rack2CAT1(config-if)#sh
11:36:06: dot1x-registry:** dot1x_vp_statechange:
11:36:06: dot1x-ev:vlan 60 vp is removed on the interface FastEthernet0/24
11:36:06: dot1x-ev:Now Processing: 60 link DOWN for FastEthernet0/24, accss_vlan = 60, oper_vlan = 60
11:36:06: dot1x-registry:dot1x_port_modechange invoked on interface FastEthernet0/24
11:36:06: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet0/24
11:36:06: dot1x-err:calling pm_idb_set_port_access_oper_vlanid with vlan=600
11:36:06: dot1x-ev:supp_info=
Rack2CAT1(config-if)#1198F10 txWhen_timer=1198F60 quietWhile_timer=1198F20reAuthWhen_timer=1198F40 awhile_timer=1198F80
11:36:06: dot1x-ev:destroy supplicant block for 0000.0000.0000
11:36:06: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/24
11:36:06: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/24
Rack2CAT1(config-if)#
Rack2CAT1(config-if)#
*Mar 1 03:36:10: %LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down
*Mar 1 03:36:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
Rack2CAT1(config-if)#
Rack2CAT1(config-if)#
Rack2CAT1(config-if)#no sh
Rack2CAT1(config-if)#
*Mar 1 03:36:15: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to down
11:36:13: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet0/24
11:36:13: dot1x-registry:dot1x_port_linkcomingup invoked on interface FastEthernet0/24
11:36:13: dot1x-ev:dot1x_port_enable: set dot1x ask handler on interface FastEthernet0/24
11:36:13: dot1x_auth Fa0/24: initial state auth_initialize has enter
11:36:13: dot1x-sm:Fa0/24:0000.0000.0000:auth_initialize_enter called
11:36:13: dot1
Rack2CAT1(config-if)#x-ev:auth_initialize_enter:0000.0000.0000: Current ID=0
11:36:13: dot1x_auth Fa0/24: during state auth_initialize, got event 0(cfg_auto)
11:36:13: @@@ dot1x_auth Fa0/24: auth_initialize -> auth_disconnected
11:36:13: dot1x-sm:Fa0/24:0000.0000.0000:auth_disconnected_enter_action called
11:36:13: dot1x-sm:
dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZED
11:36:13: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/24
11:36:13: dot1x-ev:
Rack2CAT1(config-if)#dot1x_update_port_status: Called with host_mode=0 state UNAUTHORIZED
11:36:13: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to send port to unauthorized on vlan 0
11:36:13: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 11BF558
11:36:13: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0
11:36:13: dot1x-ev: GuestVlan configured=0
11:36:13: dot1x-ev:supplicant 0000.0000.0000 is default
11:36:13: dot1x-ev:supplicant 0000.0000.0000 is last
11:36:
Rack2CAT1(config-if)#13: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/24
11:36:13: dot1x_auth Fa0/24: idle during state auth_disconnected
11:36:13: @@@ dot1x_auth Fa0/24: auth_disconnected -> auth_connecting
11:36:13: dot1x-sm:Fa0/24:0000.0000.0000:auth_connecting_enter called
11:36:13: dot1x_bend Fa0/24: initial state dot1x_bend_initialize has enter
11:36:13: dot1x-sm:Dot1x Initialize State Entered
11:36:13: dot1x_bend Fa0/24: initial state dot1x_bend_initialize has idle
11:
Rack2CAT1(config-if)#36:13: dot1x_bend Fa0/24: during state dot1x_bend_initialize, got event 16383(idle)
11:36:13: @@@ dot1x_bend Fa0/24: dot1x_bend_initialize -> dot1x_bend_idle
11:36:13: dot1x-sm:Dot1x Idle State Entered
11:36:13: dot1x-ev:Created port supplicant block 0000.0000.0000 expected_id=0 current_id=0
11:36:13: dot1x-ev:dot1x_init_sb_oper_info:Default port supplicant at memloc 11BF558
11:36:13: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/24
11:36:13: dot1x-ev:
d
Rack2CAT1(config-if)#ot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
11:36:13: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current ID=1
11:36:13: dot1x-ev:dot1x_tx_eap: EAP Ptk
11:36:13: dot1x-ev:EAP-code=FAILURE
11:36:13: dot1x-ev:EAP Type= IDENTITY
11:36:13: dot1x-ev:ID=0
11:36:13: dot1x-registry:registry:dot1x_ether_macaddr called
11:36:13: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/24
11:36:13: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for r
Rack2CAT1(config-if)#eq_id for supplicant 0000.0000.0000
11:36:13: dot1x-ev:dot1x_tx_eap: EAP Ptk
11:36:13: dot1x-ev:EAP-code=REQUEST
11:36:13: dot1x-ev:EAP Type= IDENTITY
11:36:13: dot1x-ev:ID=1
This archive was generated by hypermail 2.1.4
: Sun Oct 02 2005 - 14:40:13 GMT-3