From: louis john (west_coast@inbox.com)
Date: Wed Jul 04 2007 - 02:27:04 ART
Mike,
I really do not know how to thank you ,but I really respect the deep knoledge you have in this context, and please allow me to ask you two more questions :
Q1.
regarding the last section, suppose I add the command "dot1x guest-vlan supplicant" globally , will the IOS override the "Dot1x auth-fail vlan 999" and move the 802.1x failure to the guest vlan instead of the restricted vlan? i.e. Who will win ? "dot1x guest-vlan supplicant" or "Dot1x auth-fail"
Interface range f1/0/1 - 48
Switchport mode access
Switchport access vlan 100
Dot1x port-control auto
Dot1x auth-fail vlan 999
Dot1x guest-vlan 900
802.1x success: VLAN 100
802.1x failure: VLAN 999
No 802.1x: VLAN 900
Q.2,
Assume that I have the IOS 12.2(25)SEE and later and I have a requirements to move the 802.1x Failure to the guest vlan 345, then I should not use the command "Dot1x guest-vlan" alone because this command will help only the "No 802.1x" nor the command "Dot1x auth-fail" because this command will move the unauthenticated client (802.1x failure) to the restricted vlan.
So What should I do in this case? :( How can I move the clients to the guest vlan while they are 802.1x failure.
Let me tell you my answer and correct me if I am wrong :
I should use "Dot1x guest-vlan" combined with "dot1x guest-vlan supplicant" because in this case, I think the 802.1x failure will be moved to the guest vlan.
I really appreciate your feedback.
> -----Original Message-----
> From: mikraus@cisco.com
> Sent: Tue, 3 Jul 2007 20:35:28 -0400
> To: west_coast@inbox.com, ccielab@groupstudy.com
> Subject: RE: dot1x guest-vlan supplicant
>
> I suppose it depends on the IOS version of the 3560's in the lab these
> days.
>
> "With Cisco IOS Release 12.2(25)SE and later, the switch maintains the
> EAPOL packet history. If an EAPOL packet is detected on the interface
> during the lifetime of the link, the switch determines that the device
> connected to that interface is an IEEE 802.1x-capable supplicant, and
> the interface does not change to the guest VLAN state. EAPOL history is
> cleared if the interface link status goes down. If no EAPOL packet is
> detected on the interface, the interface changes to the guest VLAN
> state.
>
> Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the
> EAPOL packet history and allowed clients that failed authentication
> access to the guest VLAN, regardless of whether EAPOL packets had been
> detected on the interface. You can enable this optional behavior by
> using the dot1x guest-vlan supplicant global configuration command.
> However, in Cisco IOS Release 12.2(25)SEE, the dot1x guest-vlan
> supplicant global configuration command is no longer supported. Use a
> restricted VLAN to allow clients that failed authentication access to
> the network by entering the dot1x auth-fail vlan vlan-id interface
> configuration command."
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg
> /sw8021x.htm#wp1176660
>
> So:
>
> Before 12.2(25)SE:
>
> Interface range f1/0/1 - 48
> Switchport mode access
> Switchport access vlan 100
> Dot1x port-control auto
> Dot1x guest-vlan 900
>
> 802.1x success: VLAN 100
> 802.1x failure: VLAN 900
> No 802.1x: VLAN 900
>
>
> 12.2(25)SE to 12.2(25)SED:
>
> Interface range f1/0/1 - 48
> Switchport mode access
> Switchport access vlan 100
> Dot1x port-control auto
> Dot1x guest-vlan 900
>
> 802.1x success: VLAN 100
> 802.1x failure: unauthorized, no access (unless the "dot1x guest-vlan
> supplicant" command is used, then VLAN 900).
> No 802.1x: VLAN 900
>
>
> So, in 12.2(25)SEE and later:
>
> Interface range f1/0/1 - 48
> Switchport mode access
> Switchport access vlan 100
> Dot1x port-control auto
> Dot1x auth-fail vlan 999
> Dot1x guest-vlan 900
>
> 802.1x success: VLAN 100
> 802.1x failure: VLAN 999
> No 802.1x: VLAN 900
>
> Of course, you could also assign a VLAN via RADIUS for success, and you
> also could have the restricted (auth-fail) and guest VLANs be the same
> VLAN if you so desired.
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> louis john
> Sent: Tuesday, July 03, 2007 6:39 PM
> To: Cisco certification
> Subject: dot1x guest-vlan supplicant
>
> Folks,
>
> Can you please correct my answer to the following question :
>
> I have IEEE clients connected to my switch port, I am trying to
> authenticate them through DOT1X protocol using radius server, I want to
> put the unauthenticated clients in the guest vlan 345
>
> My config
> aaa new-model
> authentication login default none
> aaa authentication dot1x default group radius
>
> dot1x system-auth-control
>
> interface range f1/0/1 - 48
> switchport mode access
> dot1x guest-vlan 345
>
> Now should I have to also mention "dot1x guest-vlan supplicant" in the
> global configuration as this is a hidden command in 3750 switches as we
> usually do on 3550 switches.
>
> Now I believe that if I put this command, then the Unauthenticated IEEE
> capable clients will be moved to guest vlan.
>
> I appreciate your feedback.
>
> ____________________________________________________________
> GET FREE SMILEYS FOR YOUR IM & EMAIL - Learn more at
> http://www.inbox.com/smileys Works with AIMB., MSNB. Messenger, Yahoo!B.
> Messenger, ICQB., Google Talkb?" and most webmails
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:39 ART