From: maureen schaar (maureen.schaar@gmail.com)
Date: Thu Mar 29 2007 - 11:03:56 ART
In releases after 12.2(25)SE a new commando 'dot1x auth-fail vlan' has
become available, which has replaced the 'dot1x guest-vlan
supplicant'. There would be no more need for guest-vlan supplicant.
Maureen
On 3/29/07, ian <iyux2000@gmail.com> wrote:
> maureen schaar,How are you!
>
> Another interesting thing is that for the latest IOS version (Version 12.2(25)SEE2) , command " dot1x guest-vlan supplicant " has become a hidden command. It appears no available, but it allows you to configure. Therefore, i guess .....
>
> ======= 2007-03-29 20:25:40 What you've mentioned in your letter:=======
>
> >Hi all,
> >Once again I am having a hard time understanding a part of cisco
> >documentation. It's regarding the dot1x guest-vlan and dot1x
> >guest-vlan supplicant.
> >
> >This is from 3550 12.1(20)EA2
> >
> >quote/
> >dot1x guest-vlan vlan-id
> >no dot1x guest-vlan
> >
> >Usage Guidelines
> >
> >When you configure a guest VLAN, clients that are not 802.1x-capable
> >are put into the guest VLAN when the server does not receive a
> >response to its Extensible Authentication Protocol over LAN (EAPOL)
> >request/identity frame. Clients that are 802.1x-capable but fail
> >authentication are not granted access to the network.
> >/quote
> >
> >I conclude:
> >- If client is dot1x capable but authentication fails --> unauthorized
> >- If the client is not dot1x capable --> guest-vlan
> >
> >Then we go to the current documentation (12.2(25)SEE), which says this:
> >
> >quote/
> >'Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the
> >EAPOL packet history and allowed clients that failed authentication
> >access to the guest VLAN, regardless of whether EAPOL packets had been
> >detected on the interface.'
> >/quote
> >
> >Is it me, or is this a total contradiction with what is documented for
> >the older release????
> >
> >My guess is that guest-vlan supplicant is the way to implement the
> >auth-fail vlan with releases that do not support auth-fail vlan (in
> >which case auth-fail vlan = guest-vlan). I think these are the options
> >for IOS 12.2(25)SE (which supports guest-vlan supplicant):
> >
> >
> >dot1x guest-vlan WITHOUT guest-vlan supplicant (based on 12.1 doc):
> >- If client is dot1x capable but authentication fails --> unauthorized
> >- If the client is not dot1x capable --> guest-vlan
> >
> >dot1x guest-vlan WITH guest-vlan supplicant:
> >- If client is dot1x capable but authentication fails --> guest-vlan
> >- If the client is not dot1x capable --> guest-vlan
> >
> >Can anyone confirm or correct me if I'm wrong?
> >
> >Thanks.
> >
> >Maureen
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> = = = = = = = = = = = = = = = = = = = =
>
>
> Have a nice day.
>
>
> ian
> iyux2000@gmail.com
> 2007-03-29
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:53 ART