From: Mike Kraus \(mikraus\) (mikraus@cisco.com)
Date: Fri Jun 29 2007 - 11:19:44 ART
It is EAP, not EOP btw. :)
The command is still functional, yet it has been hidden.
This was previously used commonly in voice environments, where the
client behind the phone disconnects and reconnects later. However, it
has been seen that MDA (Multi Domain Authentication) deprecates the need
for this function, since both the phone and the client can perform
independent 802.1x authentications. See:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configur
ation_guide_chapter09186a00807743fb.html#wp1271000
From what I have heard, there aren't any plans to remove the dot1x
guest-vlan supplicant command/functionality in the near future, however
best practice would be to migrate to MDA as that provides a superior
solution.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
louis john
Sent: Friday, June 29, 2007 7:21 AM
To: Cisco certification
Subject: What does dot1x guest-vlan supplicant command mean?
Dear Group,
Can you please explain what the above command means? why it is no longer
supported in the IOS 12.2(25)SEE and later ?
Why you can still apply this command on the IOS 12.2(25)SEE and later
though it is hidden ?
if you type the command the IOS will accept it, is the IOS going to
accept it wihout considering it's function?
This is what I understood about the command, please correct me :
This command was desined to check the history of the link and see if the
client had a previous EOP exchange over the link. So if there was any
previous history of EOP with that client, the command will not put the
client in the guest vlan but I am not sure if the command will then put
the client in the restricted vlan or not.
Now the problem that the history could be erased if the link goes down
and up again, so next time if the client came to authenticate, the
command "dot1x guest-vlan supplicant" will triger another check for the
EOP history, and because the link was flapped there is no previous
history if this client support EOP (802.1x) or not, and then if the
client did not authenticate the "dot1x guest-vlan supplicant" will
consider the client is not supporting EOP and will put the client in the
guest vlan.
ofcourse this will happen if we assumed the client removed the
supplicant at the next time to show the switch that he/she is unable to
support 802.1x.
Now Cisco engineers said why should we have such hole ! the hacker could
pretend that he does not support the 802.1x and will win some services
from the guest vlan, so they decided to cancel the support of this
command and said we will make it explicit every time the client is
authenticating and every time it should check two things :
1 - If EOP came through the wire with a fail authenitcation then the
client will be placed in the restricted vlan.
2 - IF no EOP was discovred on the link then place the client in the
guest vlan.
Now as you see I contradict myself above , because still I can pretend
to have no EOP support and win going to the guest vlan.
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:52 ART