What does dot1x guest-vlan supplicant command mean?

From: louis john (west_coast@inbox.com)
Date: Fri Jun 29 2007 - 09:21:17 ART

• Next message: Jason Guy \(jguy\): "RE: BGP Backdoor Routing issue"
• Previous message: Muhammad Nasim: "Re: lab attempt .5"
• Next in thread: Mike Kraus \(mikraus\): "RE: What does dot1x guest-vlan supplicant command mean?"
• Maybe reply: Mike Kraus \(mikraus\): "RE: What does dot1x guest-vlan supplicant command mean?"
• Maybe reply: louis john: "RE: What does dot1x guest-vlan supplicant command mean?"
• Maybe reply: Mike Kraus \(mikraus\): "RE: What does dot1x guest-vlan supplicant command mean?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear Group,

Can you please explain what the above command means? why it is no longer supported in the IOS 12.2(25)SEE and later ?

Why you can still apply this command on the IOS 12.2(25)SEE and later though it is hidden ?
if you type the command the IOS will accept it, is the IOS going to accept it wihout considering it's function?

This is what I understood about the command, please correct me :

This command was desined to check the history of the link and see if the client had a previous EOP exchange over the link. So if there was any previous history of EOP with that client, the command will not put the client in the guest vlan but I am not sure if the command will then put the client in the restricted vlan or not.

Now the problem that the history could be erased if the link goes down and up again, so next time if the client came to authenticate, the command "dot1x guest-vlan supplicant" will triger another check for the EOP history, and because the link was flapped there is no previous history if this client support EOP (802.1x) or not, and then if the client did not authenticate the "dot1x guest-vlan supplicant" will consider the client is not supporting EOP and will put the client in the guest vlan.

ofcourse this will happen if we assumed the client removed the supplicant at the next time to show the switch that he/she is unable to support 802.1x.

Now Cisco engineers said why should we have such hole ! the hacker could pretend that he does not support the 802.1x and will win some services from the guest vlan, so they decided to cancel the support of this command and said we will make it explicit every time the client is authenticating and every time it should check two things :

1 - If EOP came through the wire with a fail authenitcation then the client will be placed in the restricted vlan.

2 - IF no EOP was discovred on the link then place the client in the guest vlan.

Now as you see I contradict myself above , because still I can pretend to have no EOP support and win going to the guest vlan.

• Next message: Jason Guy \(jguy\): "RE: BGP Backdoor Routing issue"
• Previous message: Muhammad Nasim: "Re: lab attempt .5"
• Next in thread: Mike Kraus \(mikraus\): "RE: What does dot1x guest-vlan supplicant command mean?"
• Maybe reply: Mike Kraus \(mikraus\): "RE: What does dot1x guest-vlan supplicant command mean?"
• Maybe reply: louis john: "RE: What does dot1x guest-vlan supplicant command mean?"
• Maybe reply: Mike Kraus \(mikraus\): "RE: What does dot1x guest-vlan supplicant command mean?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:52 ART