RE: dot1x guest-vlan supplicant

From: Mike Kraus \(mikraus\) (mikraus@cisco.com)
Date: Wed Jul 04 2007 - 09:30:36 ART

• Next message: Mike Kraus \(mikraus\): "RE: Eigrp network statement advertisement"
• Previous message: Gary Duncanson: "Re: PPPoFR"
• Maybe in reply to: louis john: "dot1x guest-vlan supplicant"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Q1 - 12.2(25)SEE and later - "Who will win ? dot1x guest-vlan
supplicant" or "Dot1x auth-fail""

I've certainly never tested this, but I would suspect that an 802.1x
failure would fall into the auth-fail VLAN for any ports that have the
auth-fail VLAN defined, and guest-VLAN could be accessible on the
others. I have not seen any clear documentation on this scenario
though. Has anyone ever tried this?

Q2 - 12.2(25)SEE and later - "move the 802.1x Failure to the guest vlan
345"

I'd agree with the solution you provided, but it certainly begs the
question, why not use an auth-fail VLAN? I would hope the question
would be phrased in a way like: ensure that all users that fail 802.1x
authentication have access to vlan 345. (So, that way the question
doesn't force you to use the deprecated method of accomplishing this if
the device is running new code, but you never know, maybe that's the
trick!)

-----Original Message-----
From: louis john [mailto:west_coast@inbox.com]
Sent: Wednesday, July 04, 2007 12:27 AM
To: Mike Kraus (mikraus); Cisco certification
Subject: RE: dot1x guest-vlan supplicant

Mike,

I really do not know how to thank you ,but I really respect the deep
knoledge you have in this context, and please allow me to ask you two
more questions :

Q1.

regarding the last section, suppose I add the command "dot1x guest-vlan
supplicant" globally , will the IOS override the "Dot1x auth-fail vlan
999" and move the 802.1x failure to the guest vlan instead of the
restricted vlan? i.e. Who will win ? "dot1x guest-vlan supplicant" or
"Dot1x auth-fail"

 Interface range f1/0/1 - 48
 Switchport mode access
 Switchport access vlan 100
 Dot1x port-control auto
 Dot1x auth-fail vlan 999
 Dot1x guest-vlan 900
 
 802.1x success: VLAN 100
 802.1x failure: VLAN 999
 No 802.1x: VLAN 900

Q.2,
Assume that I have the IOS 12.2(25)SEE and later and I have a
requirements to move the 802.1x Failure to the guest vlan 345, then I
should not use the command "Dot1x guest-vlan" alone because this command
will help only the "No 802.1x" nor the command "Dot1x auth-fail" because
this command will move the unauthenticated client (802.1x failure) to
the restricted vlan.

So What should I do in this case? :( How can I move the clients to the
guest vlan while they are 802.1x failure.

Let me tell you my answer and correct me if I am wrong :

I should use "Dot1x guest-vlan" combined with "dot1x guest-vlan
supplicant" because in this case, I think the 802.1x failure will be
moved to the guest vlan.

I really appreciate your feedback.

> -----Original Message-----
> From: mikraus@cisco.com
> Sent: Tue, 3 Jul 2007 20:35:28 -0400
> To: west_coast@inbox.com, ccielab@groupstudy.com
> Subject: RE: dot1x guest-vlan supplicant
>
> I suppose it depends on the IOS version of the 3560's in the lab these

> days.
>
> "With Cisco IOS Release 12.2(25)SE and later, the switch maintains the

> EAPOL packet history. If an EAPOL packet is detected on the interface
> during the lifetime of the link, the switch determines that the device

> connected to that interface is an IEEE 802.1x-capable supplicant, and
> the interface does not change to the guest VLAN state. EAPOL history
> is cleared if the interface link status goes down. If no EAPOL packet
> is detected on the interface, the interface changes to the guest VLAN
> state.
>
> Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the
> EAPOL packet history and allowed clients that failed authentication
> access to the guest VLAN, regardless of whether EAPOL packets had been

> detected on the interface. You can enable this optional behavior by
> using the dot1x guest-vlan supplicant global configuration command.
> However, in Cisco IOS Release 12.2(25)SEE, the dot1x guest-vlan
> supplicant global configuration command is no longer supported. Use a
> restricted VLAN to allow clients that failed authentication access to
> the network by entering the dot1x auth-fail vlan vlan-id interface
> configuration command."
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/s
> cg
> /sw8021x.htm#wp1176660
>
> So:
>
> Before 12.2(25)SE:
>
> Interface range f1/0/1 - 48
> Switchport mode access
> Switchport access vlan 100
> Dot1x port-control auto
> Dot1x guest-vlan 900
>
> 802.1x success: VLAN 100
> 802.1x failure: VLAN 900
> No 802.1x: VLAN 900
>
>
> 12.2(25)SE to 12.2(25)SED:
>
> Interface range f1/0/1 - 48
> Switchport mode access
> Switchport access vlan 100
> Dot1x port-control auto
> Dot1x guest-vlan 900
>
> 802.1x success: VLAN 100
> 802.1x failure: unauthorized, no access (unless the "dot1x guest-vlan
> supplicant" command is used, then VLAN 900).
> No 802.1x: VLAN 900
>
>
> So, in 12.2(25)SEE and later:
>
> Interface range f1/0/1 - 48
> Switchport mode access
> Switchport access vlan 100
> Dot1x port-control auto
> Dot1x auth-fail vlan 999
> Dot1x guest-vlan 900
>
> 802.1x success: VLAN 100
> 802.1x failure: VLAN 999
> No 802.1x: VLAN 900
>
> Of course, you could also assign a VLAN via RADIUS for success, and
> you also could have the restricted (auth-fail) and guest VLANs be the
> same VLAN if you so desired.
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of louis john
> Sent: Tuesday, July 03, 2007 6:39 PM
> To: Cisco certification
> Subject: dot1x guest-vlan supplicant
>
> Folks,
>
> Can you please correct my answer to the following question :
>
> I have IEEE clients connected to my switch port, I am trying to
> authenticate them through DOT1X protocol using radius server, I want
> to put the unauthenticated clients in the guest vlan 345
>
> My config
> aaa new-model
> authentication login default none
> aaa authentication dot1x default group radius
>
> dot1x system-auth-control
>
> interface range f1/0/1 - 48
> switchport mode access
> dot1x guest-vlan 345
>
> Now should I have to also mention "dot1x guest-vlan supplicant" in the

> global configuration as this is a hidden command in 3750 switches as
> we usually do on 3550 switches.
>
> Now I believe that if I put this command, then the Unauthenticated
> IEEE capable clients will be moved to guest vlan.
>
> I appreciate your feedback.
>
> ____________________________________________________________
> GET FREE SMILEYS FOR YOUR IM & EMAIL - Learn more at
> http://www.inbox.com/smileys Works with AIMB., MSNB. Messenger,
Yahoo!B.
> Messenger, ICQB., Google Talkb?" and most webmails
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Mike Kraus \(mikraus\): "RE: Eigrp network statement advertisement"
• Previous message: Gary Duncanson: "Re: PPPoFR"
• Maybe in reply to: louis john: "dot1x guest-vlan supplicant"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:39 ART