RE: dot1x auth-fail vlan 666?

From: Kemal YILDIRIM (kemalhy@gmail.com)
Date: Thu Dec 14 2006 - 13:12:49 ART

• Next message: james p: "Hi CCIE mates.."
• Previous message: Salau,Olayemi: "RE: Cisco VPN3000 DNS Problem"
• Maybe in reply to: Oscar Fernandez: "dot1x auth-fail vlan 666?"
• Next in thread: ccie@adosolutions.co.uk: "Re: dot1x auth-fail vlan 666?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi there Oscar,
I have used the attached config sometime ago in my LABs, I have purposely
changed the timers to see the effects.
Some of them has no meaning in real life, as they are in my config.
If you did not configured aaa, I don't think so that you can send the user
to a restricted vlan.
HTH,
Kemal

vlan 100
name Production
vlan 200
name Guest
vlan 300
name Restricted
vlan 400
name Critical
!
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
ip routing
!
no ip domain-lookup
!
!
dot1x system-auth-control
dot1x critical recovery delay 2000
dot1x critical eapol
!
interface FastEthernet0/1
 description Radius Server
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/2
 description 802.1x Client
 switchport mode access
 dot1x critical
 dot1x critical recovery action reinitialize
 dot1x pae authenticator
 dot1x port-control auto
 dot1x timeout quiet-period 3
 dot1x timeout reauth-period 300
 dot1x timeout tx-period 15
 dot1x max-req 3
 dot1x max-reauth-req 3
 dot1x reauthentication
 dot1x guest-vlan 200
 dot1x auth-fail vlan 300
 dot1x critical vlan 400
 spanning-tree portfast
!
interface Vlan100
 no shut
 ip address 10.1.1.1 255.255.0.0
!
radius-server dead-criteria time 3
radius-server host 10.1.1.10 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server deadtime 1
radius-server key Cisco123

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Oscar Fernandez
Sent: 14 Aral}k 2006 Per~embe 13:44
To: Cisco certification
Subject: dot1x auth-fail vlan 666?

Does anyone has configured this command? I tried to do it on a rented 3550
and I wasn't able to do it. I've readed over and over the documentation and
I have no idea how to do it. Any ideas? The only thing I didn't test was to
configure aaa. Do you need aaa to make this work?

cheers
Oscar

• Next message: james p: "Hi CCIE mates.."
• Previous message: Salau,Olayemi: "RE: Cisco VPN3000 DNS Problem"
• Maybe in reply to: Oscar Fernandez: "dot1x auth-fail vlan 666?"
• Next in thread: ccie@adosolutions.co.uk: "Re: dot1x auth-fail vlan 666?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART