From: maureen schaar (maureen.schaar@gmail.com)
Date: Thu Mar 29 2007 - 07:21:37 ART
Hi all,
Once again I am having a hard time understanding a part of cisco
documentation. It's regarding the dot1x guest-vlan and dot1x
guest-vlan supplicant.
This is from 3550 12.1(20)EA2
quote/
dot1x guest-vlan vlan-id
no dot1x guest-vlan
Usage Guidelines
When you configure a guest VLAN, clients that are not 802.1x-capable
are put into the guest VLAN when the server does not receive a
response to its Extensible Authentication Protocol over LAN (EAPOL)
request/identity frame. Clients that are 802.1x-capable but fail
authentication are not granted access to the network.
/quote
I conclude:
- If client is dot1x capable but authentication fails --> unauthorized
- If the client is not dot1x capable --> guest-vlan
Then we go to the current documentation (12.2(25)SEE), which says this:
quote/
'Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the
EAPOL packet history and allowed clients that failed authentication
access to the guest VLAN, regardless of whether EAPOL packets had been
detected on the interface.'
/quote
Is it me, or is this a total contradiction with what is documented for
the older release????
My guess is that guest-vlan supplicant is the way to implement the
auth-fail vlan with releases that do not support auth-fail vlan (in
which case auth-fail vlan = guest-vlan). I think these are the options
for IOS 12.2(25)SE (which supports guest-vlan supplicant):
dot1x guest-vlan WITHOUT guest-vlan supplicant (based on 12.1 doc):
- If client is dot1x capable but authentication fails --> unauthorized
- If the client is not dot1x capable --> guest-vlan
dot1x guest-vlan WITH guest-vlan supplicant:
- If client is dot1x capable but authentication fails --> guest-vlan
- If the client is not dot1x capable --> guest-vlan
Can anyone confirm or correct me if I'm wrong?
Thanks.
Maureen
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:53 ART