From: louis john (west_coast@inbox.com)
Date: Fri Jun 29 2007 - 11:26:35 ART
I am sorry for the term, EAP (Extensible Authentication Protocol),
Can you make it more simple please, I am not getting it , what is the relation between the IP Phone, the Client and the command :(
> -----Original Message-----
> From: mikraus@cisco.com
> Sent: Fri, 29 Jun 2007 10:19:44 -0400
> To: west_coast@inbox.com, ccielab@groupstudy.com
> Subject: RE: What does dot1x guest-vlan supplicant command mean?
>
> It is EAP, not EOP btw. :)
>
> The command is still functional, yet it has been hidden.
>
> This was previously used commonly in voice environments, where the
> client behind the phone disconnects and reconnects later. However, it
> has been seen that MDA (Multi Domain Authentication) deprecates the need
> for this function, since both the phone and the client can perform
> independent 802.1x authentications. See:
>
> http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configur
> ation_guide_chapter09186a00807743fb.html#wp1271000
>
> From what I have heard, there aren't any plans to remove the dot1x
> guest-vlan supplicant command/functionality in the near future, however
> best practice would be to migrate to MDA as that provides a superior
> solution.
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> louis john
> Sent: Friday, June 29, 2007 7:21 AM
> To: Cisco certification
> Subject: What does dot1x guest-vlan supplicant command mean?
>
> Dear Group,
>
>
> Can you please explain what the above command means? why it is no longer
> supported in the IOS 12.2(25)SEE and later ?
>
>
> Why you can still apply this command on the IOS 12.2(25)SEE and later
> though it is hidden ?
> if you type the command the IOS will accept it, is the IOS going to
> accept it wihout considering it's function?
>
>
> This is what I understood about the command, please correct me :
>
> This command was desined to check the history of the link and see if the
> client had a previous EOP exchange over the link. So if there was any
> previous history of EOP with that client, the command will not put the
> client in the guest vlan but I am not sure if the command will then put
> the client in the restricted vlan or not.
>
>
> Now the problem that the history could be erased if the link goes down
> and up again, so next time if the client came to authenticate, the
> command "dot1x guest-vlan supplicant" will triger another check for the
> EOP history, and because the link was flapped there is no previous
> history if this client support EOP (802.1x) or not, and then if the
> client did not authenticate the "dot1x guest-vlan supplicant" will
> consider the client is not supporting EOP and will put the client in the
> guest vlan.
>
> ofcourse this will happen if we assumed the client removed the
> supplicant at the next time to show the switch that he/she is unable to
> support 802.1x.
>
>
>
> Now Cisco engineers said why should we have such hole ! the hacker could
> pretend that he does not support the 802.1x and will win some services
> from the guest vlan, so they decided to cancel the support of this
> command and said we will make it explicit every time the client is
> authenticating and every time it should check two things :
>
>
> 1 - If EOP came through the wire with a fail authenitcation then the
> client will be placed in the restricted vlan.
>
> 2 - IF no EOP was discovred on the link then place the client in the
> guest vlan.
>
>
>
> Now as you see I contradict myself above , because still I can pretend
> to have no EOP support and win going to the guest vlan.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:52 ART