Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode from ALL From_NJ on 2009-08-23 (Ccielab archives 08/2009)

From: ALL From_NJ <all.from.nj_at_gmail.com>
Date: Sun, 23 Aug 2009 19:24:08 -0400

Maybe one of the vendors can comment, but even though it states multiple
hosts will be connected to the port, it does not say that multi-host mode
should be used.

The labs I have been working on, normally say something like "allow all
hosts access when only one host authenticates" ... something like this to
indicate multi-host mode.

Sounds like you might need only single host mode. Although, I would also
agree that the task is worded in such a way to suggest multiple hosts.

Would be interested to hear one of the vendor guys speak, but as you found,
the configs are not compatible. After it fails, might be a good time to
formulate a questions and ask a proctor.

Something like - should I read this question to indicate that if one host
authenticates, all others should be allowed, or should I read this as
different hosts may plug into this port?

Not sure ... just thinking out loud ... ;-)

Andrew

On Sun, Aug 23, 2009 at 7:09 PM, CCIE League <ccieleague_at_ymail.com> wrote:

> Thanks... still trying to fig out.... thanks Ryan for the doc...
>
> Q says multiple hosts connected to this interface f0/14.
> Hosts fialing "authorisation" should go to vlan 99 also hosts without dot1x
> support goto vlan 99
>
>
>
>
>
> ------------------------------
> *From:* ALL From_NJ <all.from.nj_at_gmail.com>
> *To:* Ryan West <rwest_at_zyedge.com>
> *Cc:* Darby Weaver <darby.weaver_at_gmail.com>; CCIE League <
> ccieleague_at_ymail.com>; CCIEGS <ccielab_at_groupstudy.com>
> *Sent:* Sunday, 23 August, 2009 23:45:20
>
> *Subject:* Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>
> (Was writing this when I saw Ryan's response ;-))
>
> In an odd way ... it kind of makes sense to me.
>
> Multi-host mode says that when any one single client, out of the many
> clients available, authenticates on the port, then authorize and enable the
> port on the network.
>
> The auth-fail command is saying that when a client fails authentication,
> they should be placed into a particular vlan. These two are not
> complimentary to each other since they could 'over ride' each other. Makes
> sense?
>
> Mr League, does the task ask you to support clients who do not support
> dot1x? Or not when they fail auth? etc ... Just curious as to what the
> task is asking for.
>
> HTH,
>
> Andrew Lee Lissitz
>
>
>
> On Sun, Aug 23, 2009 at 6:37 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
>> Configuration guide is your friend:
>>
>>
>> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/sw8021x.html#wp1179086
>>
>> It makes sense when you think about what it's trying to accomplish.
>>
>> -ryan
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Darby Weaver
>> Sent: Sunday, August 23, 2009 6:27 PM
>> To: CCIE League
>> Cc: CCIEGS
>> Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>>
>> What version of IOS?
>>
>> I recall configuring this using multi-host without getting errors?
>>
>> On Sun, Aug 23, 2009 at 3:56 PM, CCIE League <ccieleague_at_ymail.com>
>> wrote:
>>
>> > I am getting the following message when setting Auth fail VLAN where i
>> have
>> > to config multi-host support also.
>> >
>> >
>> >
>> > SW1(config-if)#dot1x auth-fail vlan 99
>> >
>> > Command rejected: Port is in multi-host mode
>> >
>> > Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>> >
>> >
>> > --------Config --------------
>> > aaa new-model
>> > aaa authentication dot1x default group radius
>> >
>> > dot1x system-auth-control
>> > dot1x guest-vlan supplicant
>> > !
>> > interface FastEthernet0/14
>> > switchport mode access
>> > dot1x port-control auto
>> > dot1x host-mode multi-host
>> > dot1x guest-vlan 99
>> > spanning-tree portfast
>> >
>> > ------------------------------------------------
>> >
>> >
>> >
>> >
>> > Thanks for your help...
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>

-- 
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net

Received on Sun Aug 23 2009 - 19:24:08 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART