From: Mike Kraus \(mikraus\) (mikraus@cisco.com)
Date: Fri Jun 29 2007 - 11:44:11 ART
No problem.
It is important to remember that the 802.1x authentication process only
starts with either of these two events:
1) Link Change
2) Receipt of an EAPoL start from a supplicant
Here's an example for you. Just say you have a phone and an EAP-capable
client device plugged in behind the phone. Assuming the EAP-capable
client fails authentication, this will place the port into the guest
VLAN. Then, when the client is removed, an EAP logoff is sent from the
phone to the switch. This puts the port into an unauthorized state.
However, then if a new client is plugged in behind the phone which does
not have an EAP supplicant, no EAPoL start message is sent and the link
stays up to the switch (since the phone isn't unplugged), so the new
client without a supplicant is never moved to the guest VLAN.
So, to work around this, the command "dot1x guest-vlan supplicant" makes
the switch allow clients to access a guest VLAN, whether or not previous
EAPoL packets have were received on the interface. (Or to use MDA).
Remember the problem here is that 802.1x on switches was intended really
for authentication of an individual port, not for individual IPs or MAC
addresses. So, special considerations need to be taken when multiple
devices are attached to the same port.
-----Original Message-----
From: louis john [mailto:west_coast@inbox.com]
Sent: Friday, June 29, 2007 9:27 AM
To: Mike Kraus (mikraus); Cisco certification
Subject: RE: What does dot1x guest-vlan supplicant command mean?
I am sorry for the term, EAP (Extensible Authentication Protocol),
Can you make it more simple please, I am not getting it , what is the
relation between the IP Phone, the Client and the command :(
> -----Original Message-----
> From: mikraus@cisco.com
> Sent: Fri, 29 Jun 2007 10:19:44 -0400
> To: west_coast@inbox.com, ccielab@groupstudy.com
> Subject: RE: What does dot1x guest-vlan supplicant command mean?
>
> It is EAP, not EOP btw. :)
>
> The command is still functional, yet it has been hidden.
>
> This was previously used commonly in voice environments, where the
> client behind the phone disconnects and reconnects later. However, it
> has been seen that MDA (Multi Domain Authentication) deprecates the
> need for this function, since both the phone and the client can
> perform independent 802.1x authentications. See:
>
> http://www.cisco.com/en/US/products/hw/switches/ps5023/products_config
> ur ation_guide_chapter09186a00807743fb.html#wp1271000
>
> From what I have heard, there aren't any plans to remove the dot1x
> guest-vlan supplicant command/functionality in the near future,
> however best practice would be to migrate to MDA as that provides a
> superior solution.
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of louis john
> Sent: Friday, June 29, 2007 7:21 AM
> To: Cisco certification
> Subject: What does dot1x guest-vlan supplicant command mean?
>
> Dear Group,
>
>
> Can you please explain what the above command means? why it is no
> longer supported in the IOS 12.2(25)SEE and later ?
>
>
> Why you can still apply this command on the IOS 12.2(25)SEE and later
> though it is hidden ?
> if you type the command the IOS will accept it, is the IOS going to
> accept it wihout considering it's function?
>
>
> This is what I understood about the command, please correct me :
>
> This command was desined to check the history of the link and see if
> the client had a previous EOP exchange over the link. So if there was
> any previous history of EOP with that client, the command will not put
> the client in the guest vlan but I am not sure if the command will
> then put the client in the restricted vlan or not.
>
>
> Now the problem that the history could be erased if the link goes down
> and up again, so next time if the client came to authenticate, the
> command "dot1x guest-vlan supplicant" will triger another check for
> the EOP history, and because the link was flapped there is no previous
> history if this client support EOP (802.1x) or not, and then if the
> client did not authenticate the "dot1x guest-vlan supplicant" will
> consider the client is not supporting EOP and will put the client in
> the guest vlan.
>
> ofcourse this will happen if we assumed the client removed the
> supplicant at the next time to show the switch that he/she is unable
> to support 802.1x.
>
>
>
> Now Cisco engineers said why should we have such hole ! the hacker
> could pretend that he does not support the 802.1x and will win some
> services from the guest vlan, so they decided to cancel the support of
> this command and said we will make it explicit every time the client
> is authenticating and every time it should check two things :
>
>
> 1 - If EOP came through the wire with a fail authenitcation then the
> client will be placed in the restricted vlan.
>
> 2 - IF no EOP was discovred on the link then place the client in the
> guest vlan.
>
>
>
> Now as you see I contradict myself above , because still I can pretend
> to have no EOP support and win going to the guest vlan.
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:52 ART