From: GAURAV MADAN (gauravmadan1177@gmail.com)
Date: Sun Oct 05 2008 - 09:36:31 ART
Hi Sadiq
That cleared up things for me .
I guess in R&S we can live up with this much info . :)
Thnx a ton
Gaurav Madan
On Sun, Oct 5, 2008 at 5:33 PM, Sadiq Yakasai <sadiqtanko@gmail.com> wrote:
> Hey Gaurav,
>
> This is how it goes:
>
> You are right, when you configure the "dot1x guest-vlan 2" interface config,
> the switch will place all NON-DOT1x capable devices in the Guest VLAN when
> they fail authentication.
>
> The "dot1x auth-fail vlan" command is used to place DOT1x capable devices
> into the auth-fail vlan ONLY when they fail authentication - which basically
> means that the aaa server has explicitly returned a "radius access-reject"
> message to the switch.
>
> The "dot1x guest-vlan supplicant" global config command is used to place
> DOT1-x capable devices that for any reason have started exchanging EAPoL or
> EAP frames with the switch (hence the docCD says the switch maintains
> history of EAPoL exchange between the switch and the client) but never
> finish the exchange and therefore have not successfully authenticated with
> the switch (and aaa server running behind the scenes). This means that the
> exchange has not explicitly ended with a radius access-reject (and hence
> cannot be placed in the auth-fail vlan) and this is when the DOT1x capable
> device is placed in the Guest vlan.
>
> Its one of those strange cases which can only be observed when you are doing
> an EAP method involving the use of certificates and the client has some
> missen certificates. The client begins the EAP exchange and suddenly
> realises the missen certificates and it then suddenly goes silent and
> unresponsive.
>
> Hope that clears up the air a little bit (or I mayb I have successfully
> confused you even more ;-)! )
>
> Sadiq
> #19963
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:19 ARST