Re: critical options in dot1x

From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Tue Mar 03 2009 - 14:28:14 ARST

• Next message: Nitin Venugopal: "Re: "extendable" keyword in NAT"
• Previous message: Edouard Zorrilla: "Re: "extendable" keyword in NAT"
• Maybe in reply to: GAURAV MADAN: "critical options in dot1x"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dot1x critical authentication deals with situations when the authentication
server goes down (the switch actually declares the server(s) as DEAD) and a
host connects to a switchport configured for 802.1X. Since the AAA server is
dead, the switch authorizes the host in the critical VLAN, if one is
configured. Hence the command:

Rack1SW2(config-if)#dot1x critical ?
 recovery Enable 802.1x Critical Authentication recovery
 vlan Configure Critical-Auth policy VLAN on this interface
 <cr>

Now, when the AAA server comes back online, the switch has an option to
re-initialize the authentication on port for the client and hence:

Rack1SW2(config-if)#dot1x critical ?
 recovery Enable 802.1x Critical Authentication recovery

Now, the criteria that the switch uses to declare the authentication server
as DEAD by default is platform dependent but its also configurable. please
see more here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1194433

HTH,
Sadiq

On Tue, Mar 3, 2009 at 3:26 PM, GAURAV MADAN <gauravmadan1177@gmail.com>wrote:

> Hi All
>
> I see following options :
>
> Rack1SW2(config)#dot1x critical ?
> eapol Send EAPOL-Success on successful Critical Authentication
> recovery Set 802.1x Critical Authentication Recovery parameters
>
>
> Rack1SW2(config-if)#dot1x critical ?
> recovery Enable 802.1x Critical Authentication recovery
> vlan Configure Critical-Auth policy VLAN on this interface
> <cr>
>
>
> I am referring to documentation at :
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_sec/configuration/guide/sw8021x.html
>
> I find nothing related to critical options .
> Ques : What is dot1x critical authentication .? How is this different from
> noral authentiation provided by Dot1x .
>
> Thnx in advance
> Gaurav Madan.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

• Next message: Nitin Venugopal: "Re: "extendable" keyword in NAT"
• Previous message: Edouard Zorrilla: "Re: "extendable" keyword in NAT"
• Maybe in reply to: GAURAV MADAN: "critical options in dot1x"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:03 ART