From: Thomas.W.Johnson@chase.com
Date: Thu Mar 29 2007 - 09:50:38 ART
Not sure if I read your question correctly or not. Are you asking what
the difference is between the two commands? I believe both commands
perform the same function, allowing users/devices who do support Dot1x
authentication, but fail to properly authenticate to have access to the
guess vlan.
This is from the Cat 3550 command reference, my interpretation was we no
longer use the dot1x guest-vlan supplicant, start using the dot1x
auth-fail vlan command instead.
Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the
EAPOL packet history and allowed clients that failed authentication
access to the guest VLAN, regardless of whether EAPOL packets had been
detected on the interface. In Cisco IOS Release 12.2(25)SE, you can use
the dot1x guest-vlan supplicant global configuration command to enable
this optional behavior.
However, in Cisco IOS Release 12.2(25)SEE, the dot1x guest-vlan
supplicant global configuration command is no longer supported. You can
use a restricted VLAN to allow clients that failed authentication access
to the network by entering the dot1x auth-fail vlan vlan-id interface
configuration command.
Thomas Johnson
JP Morgan Chase
Global Network Implementation
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ian
Sent: Thursday, March 29, 2007 6:31 AM
To: maureen schaar; Cisco certification
Subject: Re: how difficult can it be, dot1x guest-vlan
maureen schaar,How are you#!
Another interesting thing is that for the latest IOS version
(Version 12.2(25)SEE2) , command " dot1x guest-vlan supplicant " has
become a hidden command. It appears no available, but it allows you to
configure. Therefore, i guess .....
======= 2007-03-29 20:25:40 What you've mentioned in your
letter#:=======
>Hi all,
>Once again I am having a hard time understanding a part of cisco
>documentation. It's regarding the dot1x guest-vlan and dot1x
>guest-vlan supplicant.
>
>This is from 3550 12.1(20)EA2
>
>quote/
>dot1x guest-vlan vlan-id
>no dot1x guest-vlan
>
>Usage Guidelines
>
>When you configure a guest VLAN, clients that are not 802.1x-capable
>are put into the guest VLAN when the server does not receive a
>response to its Extensible Authentication Protocol over LAN (EAPOL)
>request/identity frame. Clients that are 802.1x-capable but fail
>authentication are not granted access to the network.
>/quote
>
>I conclude:
>- If client is dot1x capable but authentication fails --> unauthorized
>- If the client is not dot1x capable --> guest-vlan
>
>Then we go to the current documentation (12.2(25)SEE), which says this:
>
>quote/
>'Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the
>EAPOL packet history and allowed clients that failed authentication
>access to the guest VLAN, regardless of whether EAPOL packets had been
>detected on the interface.'
>/quote
>
>Is it me, or is this a total contradiction with what is documented for
>the older release????
>
>My guess is that guest-vlan supplicant is the way to implement the
>auth-fail vlan with releases that do not support auth-fail vlan (in
>which case auth-fail vlan = guest-vlan). I think these are the options
>for IOS 12.2(25)SE (which supports guest-vlan supplicant):
>
>
>dot1x guest-vlan WITHOUT guest-vlan supplicant (based on 12.1 doc):
>- If client is dot1x capable but authentication fails --> unauthorized
>- If the client is not dot1x capable --> guest-vlan
>
>dot1x guest-vlan WITH guest-vlan supplicant:
>- If client is dot1x capable but authentication fails --> guest-vlan
>- If the client is not dot1x capable --> guest-vlan
>
>Can anyone confirm or correct me if I'm wrong?
>
>Thanks.
>
>Maureen
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
= = = = = = = = = = = = = = = = = = = =
!!!!!!!!!!!!!!!!Have a nice day.
!!!!!!!!!!!!!!!!ian
!!!!!!!!!!!!!!!!iyux2000@gmail.com
!!!!!!!!!!!!!!!!!!!!2007-03-29
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:53 ART