Re: dot1x & Guest VLAN

From: Rob McDonald (robmexpert@gmail.com)
Date: Wed May 09 2007 - 17:09:25 ART

• Next message: Rocco R21: "RE: VPN GRE Tunnel with crypto map problem"
• Previous message: Rocco R21: "RE: VPN GRE Tunnel with crypto map problem"
• Maybe in reply to: Rob McDonald: "dot1x & Guest VLAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

Thanks for the reply... Once again I'm trying to configure "I'm trying to
set-up 802.1x based guest vlan authentication using a radius server @
100.100.1.100 and password CCIE. Is this the right way to achieve this"

aaa new-model
aaa authentication dot1x default group radius

aaa authentication login VTY line
aaa authentication login CONN none

radius-server host 100.100.1.100
radius-server key CCIE

dot1x system-auth-control
dot1x guest-vlan supplicant

interface range fa0/10-13
switchport mode access
dot1x port-control auto
dot1x guest-vlan 100
dot1x auth-fail vlan 100

line con 0
login authentication CONN

line vty 0 4
login authentication VTY

On 5/9/07, Edison Ortiz <edisonmortiz@gmail.com> wrote:
>
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/sw8021x.htm
> Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the EAPOL
> packet history and allowed clients that failed authentication access to
> the
> guest VLAN, regardless of whether EAPOL packets had been detected on the
> interface. You can enable this optional behavior by using the dot1x
> guest-vlan supplicant global configuration command. However, in Cisco IOS
> Release 12.2(25)SEE, the dot1x guest-vlan supplicant global configuration
> command is no longer supported. Use a restricted VLAN to allow clients
> that
> failed authentication access to the network by entering the dot1x
> auth-fail
> vlan vlan-id interface configuration command.
>
> ______________________________
>
> Keep in mind, when enabling aaa new-model - you need to disable
> authentication for the vty lines and console
> port.
>
> ----- Original Message -----
> From: "Rob McDonald" <robmexpert@gmail.com>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, May 09, 2007 4:23 AM
> Subject: dot1x & Guest VLAN
>
>
> > Hello group,
> >
> > I'm trying to set-up 802.1x based guest vlan authentication using a
> radius
> > server @ 100.100.1.100 and password CCIE. Is this the right way to
> achieve
> > this:
> >
> >
> > aaa new-model
> >
> > aaa authentication dot1x default group radius
> >
> >
> >
> > radius-server host 100.100.1.100
> >
> > radius-server key CCIE
> >
> >
> >
> > dot1x guest-vlan supplicant
> >
> > dot1x system-auth-control
> >
> >
> >
> > interface range fa0/10-13
> >
> > switchport-mode access
> >
> > dot1x port-control auto
> >
> > dot1x guest-vlan 100
> >
> >
> >
> >
> >
> >
> >
> > Also is it mandatory to use the command "dot1x guest-vlan supplicant"?
> >
> >
> >
> > Thanks,
> >
> > Rob
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: Rocco R21: "RE: VPN GRE Tunnel with crypto map problem"
• Previous message: Rocco R21: "RE: VPN GRE Tunnel with crypto map problem"
• Maybe in reply to: Rob McDonald: "dot1x & Guest VLAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:20 ART