Re: dot1x auth-fail vlan 666?

From: Oscar Fernandez (oscar@kaos.es)
Date: Fri Dec 15 2006 - 05:50:00 ART

• Next message: Maxim Kurushkin: "Re: Questions about mls qos"
• Previous message: johngibson1541@yahoo.com: "Re: RE: If a CA's private key is stolen, everything is cracked"
• Maybe in reply to: Oscar Fernandez: "dot1x auth-fail vlan 666?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

cheers

----- Original Message -----
From: "Kemal YILDIRIM" <kemalhy@gmail.com>
To: "'Oscar Fernandez'" <oscar@kaos.es>; "'Cisco certification'"
<ccielab@groupstudy.com>
Sent: Thursday, December 14, 2006 5:12 PM
Subject: RE: dot1x auth-fail vlan 666?

> Hi there Oscar,
> I have used the attached config sometime ago in my LABs, I have purposely
> changed the timers to see the effects.
> Some of them has no meaning in real life, as they are in my config.
> If you did not configured aaa, I don't think so that you can send the user
> to a restricted vlan.
> HTH,
> Kemal
>
> vlan 100
> name Production
> vlan 200
> name Guest
> vlan 300
> name Restricted
> vlan 400
> name Critical
> !
> aaa new-model
> aaa authentication login default none
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> !
> ip routing
> !
> no ip domain-lookup
> !
> !
> dot1x system-auth-control
> dot1x critical recovery delay 2000
> dot1x critical eapol
> !
> interface FastEthernet0/1
> description Radius Server
> switchport access vlan 100
> switchport mode access
> spanning-tree portfast
> !
> interface FastEthernet0/2
> description 802.1x Client
> switchport mode access
> dot1x critical
> dot1x critical recovery action reinitialize
> dot1x pae authenticator
> dot1x port-control auto
> dot1x timeout quiet-period 3
> dot1x timeout reauth-period 300
> dot1x timeout tx-period 15
> dot1x max-req 3
> dot1x max-reauth-req 3
> dot1x reauthentication
> dot1x guest-vlan 200
> dot1x auth-fail vlan 300
> dot1x critical vlan 400
> spanning-tree portfast
> !
> interface Vlan100
> no shut
> ip address 10.1.1.1 255.255.0.0
> !
> radius-server dead-criteria time 3
> radius-server host 10.1.1.10 auth-port 1645 acct-port 1646
> radius-server source-ports 1645-1646
> radius-server deadtime 1
> radius-server key Cisco123
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Oscar Fernandez
> Sent: 14 Aral}k 2006 Per~embe 13:44
> To: Cisco certification
> Subject: dot1x auth-fail vlan 666?
>
> Does anyone has configured this command? I tried to do it on a rented 3550
> and I wasn't able to do it. I've readed over and over the documentation
> and
> I have no idea how to do it. Any ideas? The only thing I didn't test was
> to
> configure aaa. Do you need aaa to make this work?
>
> cheers
> Oscar
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Maxim Kurushkin: "Re: Questions about mls qos"
• Previous message: johngibson1541@yahoo.com: "Re: RE: If a CA's private key is stolen, everything is cracked"
• Maybe in reply to: Oscar Fernandez: "dot1x auth-fail vlan 666?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART