Re: how difficult can it be, dot1x guest-vlan

From: ian (iyux2000@gmail.com)
Date: Thu Mar 29 2007 - 08:31:18 ART

• Next message: Duncan Maccubbin: "Re: Frustrating - failed 1st attempt"
• Previous message: Stefaan Vander Rasieren: "Re: shape average vs shape peak"
• Maybe in reply to: maureen schaar: "how difficult can it be, dot1x guest-vlan"
• Next in thread: Thomas.W.Johnson@chase.com: "RE: how difficult can it be, dot1x guest-vlan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

maureen schaar,How are you#!

        Another interesting thing is that for the latest IOS version (Version 12.2(25)SEE2) , command " dot1x guest-vlan supplicant " has become a hidden command. It appears no available, but it allows you to configure. Therefore, i guess .....

======= 2007-03-29 20:25:40 What you've mentioned in your letter#:=======

>Hi all,
>Once again I am having a hard time understanding a part of cisco
>documentation. It's regarding the dot1x guest-vlan and dot1x
>guest-vlan supplicant.
>
>This is from 3550 12.1(20)EA2
>
>quote/
>dot1x guest-vlan vlan-id
>no dot1x guest-vlan
>
>Usage Guidelines
>
>When you configure a guest VLAN, clients that are not 802.1x-capable
>are put into the guest VLAN when the server does not receive a
>response to its Extensible Authentication Protocol over LAN (EAPOL)
>request/identity frame. Clients that are 802.1x-capable but fail
>authentication are not granted access to the network.
>/quote
>
>I conclude:
>- If client is dot1x capable but authentication fails --> unauthorized
>- If the client is not dot1x capable --> guest-vlan
>
>Then we go to the current documentation (12.2(25)SEE), which says this:
>
>quote/
>'Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the
>EAPOL packet history and allowed clients that failed authentication
>access to the guest VLAN, regardless of whether EAPOL packets had been
>detected on the interface.'
>/quote
>
>Is it me, or is this a total contradiction with what is documented for
>the older release????
>
>My guess is that guest-vlan supplicant is the way to implement the
>auth-fail vlan with releases that do not support auth-fail vlan (in
>which case auth-fail vlan = guest-vlan). I think these are the options
>for IOS 12.2(25)SE (which supports guest-vlan supplicant):
>
>
>dot1x guest-vlan WITHOUT guest-vlan supplicant (based on 12.1 doc):
>- If client is dot1x capable but authentication fails --> unauthorized
>- If the client is not dot1x capable --> guest-vlan
>
>dot1x guest-vlan WITH guest-vlan supplicant:
>- If client is dot1x capable but authentication fails --> guest-vlan
>- If the client is not dot1x capable --> guest-vlan
>
>Can anyone confirm or correct me if I'm wrong?
>
>Thanks.
>
>Maureen
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

= = = = = = = = = = = = = = = = = = = =
                        

!!!!!!!!!!!!!!!!Have a nice day.
 
                                 
!!!!!!!!!!!!!!!!ian
!!!!!!!!!!!!!!!!iyux2000@gmail.com
!!!!!!!!!!!!!!!!!!!!2007-03-29

• Next message: Duncan Maccubbin: "Re: Frustrating - failed 1st attempt"
• Previous message: Stefaan Vander Rasieren: "Re: shape average vs shape peak"
• Maybe in reply to: maureen schaar: "how difficult can it be, dot1x guest-vlan"
• Next in thread: Thomas.W.Johnson@chase.com: "RE: how difficult can it be, dot1x guest-vlan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:53 ART