RE: dot1x & Guest VLAN

From: Eric Dobyns (eric_dobyns@yahoo.com)
Date: Thu Oct 11 2007 - 10:25:54 ART

• Next message: Usman Ali: "Re: Quad CCIE"
• Previous message: Singhal: "Re: Quad CCIE"
• Maybe in reply to: slevin kremera: "Re: dot1x & Guest VLAN"
• Next in thread: Scott Morris: "RE: dot1x & Guest VLAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

What is a dot1x guest vlan password? Anyone ever heard of such a thing? I
have a radius server IP address, but no key to go with it. Can you use
authentication on a guest vlan? I thought that was where you got stuck if
you didn't authenticate.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: Thursday, October 11, 2007 6:50 AM
To: 'slevin kremera'; 'Rob McDonald'
Cc: ccielab@groupstudy.com
Subject: RE: dot1x & Guest VLAN

The DocCD is your friend....

"If the supplicant fails authentication, the port is moved to a restricted
VLAN, and an EAP success message is sent to the supplicant. Because the
supplicant is not notified of the actual authentication failure, there might
be confusion about this restricted network access. An EAP success message is
sent for these reasons:

.If the EAP success message is not sent, the supplicant tries to
authenticate every 60 seconds (the default) by sending an EAP-start message.

.Some hosts (for example, devices running Windows XP) cannot implement DHCP
until they receive an EAP success message."

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1
2.2_25_see/command/reference/cli1.html#wp6240353

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor
 
A Cisco Learning Partner - We Accept Learning Credits!
 
smorris@ipexpert.com
 
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
slevin kremera
Sent: Thursday, October 11, 2007 5:15 AM
To: Rob McDonald
Cc: ccielab@groupstudy.com
Subject: Re: dot1x & Guest VLAN

wht is the purpose of this command

dot1x auth-fail vlan 100

On 5/10/07, Rob McDonald <robmexpert@gmail.com> wrote:
>
> Hello,
>
> Thanks for the reply... Once again I'm trying to configure "I'm trying
> to set-up 802.1x based guest vlan authentication using a radius server
> @ 100.100.1.100 and password CCIE. Is this the right way to achieve this"
>
> aaa new-model
> aaa authentication dot1x default group radius
>
> aaa authentication login VTY line
> aaa authentication login CONN none
>
> radius-server host 100.100.1.100
> radius-server key CCIE
>
> dot1x system-auth-control
> dot1x guest-vlan supplicant
>
> interface range fa0/10-13
> switchport mode access
> dot1x port-control auto
> dot1x guest-vlan 100
> dot1x auth-fail vlan 100
>
> line con 0
> login authentication CONN
>
> line vty 0 4
> login authentication VTY
>
> On 5/9/07, Edison Ortiz <edisonmortiz@gmail.com> wrote:
> >
> >
> >
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/s
> cg/sw8021x.htm
> > Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the
> EAPOL
> > packet history and allowed clients that failed authentication access
> > to the guest VLAN, regardless of whether EAPOL packets had been
> > detected on the interface. You can enable this optional behavior by
> > using the dot1x guest-vlan supplicant global configuration command.
> > However, in Cisco
> IOS
> > Release 12.2(25)SEE, the dot1x guest-vlan supplicant global
> configuration
> > command is no longer supported. Use a restricted VLAN to allow
> > clients that failed authentication access to the network by entering
> > the dot1x auth-fail vlan vlan-id interface configuration command.
> >
> > ______________________________
> >
> > Keep in mind, when enabling aaa new-model - you need to disable
> > authentication for the vty lines and console port.
> >
> > ----- Original Message -----
> > From: "Rob McDonald" <robmexpert@gmail.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Wednesday, May 09, 2007 4:23 AM
> > Subject: dot1x & Guest VLAN
> >
> >
> > > Hello group,
> > >
> > > I'm trying to set-up 802.1x based guest vlan authentication using
> > > a
> > radius
> > > server @ 100.100.1.100 and password CCIE. Is this the right way to
> > achieve
> > > this:
> > >
> > >
> > > aaa new-model
> > >
> > > aaa authentication dot1x default group radius
> > >
> > >
> > >
> > > radius-server host 100.100.1.100
> > >
> > > radius-server key CCIE
> > >
> > >
> > >
> > > dot1x guest-vlan supplicant
> > >
> > > dot1x system-auth-control
> > >
> > >
> > >
> > > interface range fa0/10-13
> > >
> > > switchport-mode access
> > >
> > > dot1x port-control auto
> > >
> > > dot1x guest-vlan 100
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Also is it mandatory to use the command "dot1x guest-vlan supplicant"?
> > >
> > >
> > >
> > > Thanks,
> > >
> > > Rob
> > >
> > >
> ______________________________________________________________________
> _
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Usman Ali: "Re: Quad CCIE"
• Previous message: Singhal: "Re: Quad CCIE"
• Maybe in reply to: slevin kremera: "Re: dot1x & Guest VLAN"
• Next in thread: Scott Morris: "RE: dot1x & Guest VLAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:13 ART