Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode

All DDTS below seem to have been opened on c2800, not to mention opened back
in 2007 :-)

It might be related to the hardware you are using, League. The 3550 has very
limited functionality for 802.1X config to be honest. I was even suprised to
see you were able to configure multi-host mode on it. And I would not be
suprised if its only configurable and NOT supported. When you have some
time, do some more digging up to find out.

But practically speaking anyway, I think the AUTH-FAIL and GUEST VLAN
features are not supported with the multi-host mode. My reason is because
these Cisco switches today only support a single access VLAN on an
non-trunking port. You can have a multi VLAN access port and configure a
voice VLAN, but this is only useful for Cisco IP phones anyway (unless you
tweat your PC to send in tagged frames anyway).

SO because an access port only supports a single VLAN, how can you have
VLAN1 (as configured above, or a dynamic VLAN send down via RADIUS), as well
as an AuthFail (or Guest) VLAN (which seems to be VLAN99 on the config
above) also configured on the port?

Anyway, ope this does not confuse you more here.

Sadiq

On Mon, Aug 24, 2009 at 1:07 AM, CCIE League <ccieleague_at_ymail.com> wrote:

> After doing little R&D i found.. Known caveats associated with
> Authentication Fail VLAN are documented with CSCsj80588, CSCsj51624, and
> CSCsj55636
>
>
>
> ------------------------
>
> When searched for these CSC... it got
>
>
> --------------------------------
> CSCsb77186 Bug Details
>
> Information contained within bug ID CSCsb77186 is only available to Cisco
> employees. It is our policy to make all externally-facing bugs available in
> Bug Toolkit so the system administrators have been automatically alerted to
> the problem. By choosing to save this bug, you may be notified when the
> decision to make this bug available to you has been made. Note: Some product
> enhancement requests and documentation error bugs may not be available in
> Bug Toolkit.
>
> --------------------------
>
>
>
> :)
>
> moving on.. .already spent too much time.... let's see if get a response
> form dear vendors...
>
>
> Thanks for helpin....
>
>
>
>
>
>
>
>
> ________________________________
> From: ALL From_NJ <all.from.nj_at_gmail.com>
> To: CCIE League <ccieleague_at_ymail.com>
> Cc: Ryan West <rwest_at_zyedge.com>; Darby Weaver <darby.weaver_at_gmail.com>;
> CCIEGS <ccielab_at_groupstudy.com>
> Sent: Monday, 24 August, 2009 0:24:08
> Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>
> Maybe one of the vendors can comment, but even though it states multiple
> hosts will be connected to the port, it does not say that multi-host mode
> should be used.
>
> The labs I have been working on, normally say something like "allow all
> hosts access when only one host authenticates" ... something like this to
> indicate multi-host mode.
>
> Sounds like you might need only single host mode. Although, I would also
> agree that the task is worded in such a way to suggest multiple hosts.
>
> Would be interested to hear one of the vendor guys speak, but as you found,
> the configs are not compatible. After it fails, might be a good time to
> formulate a questions and ask a proctor.
>
> Something like - should I read this question to indicate that if one host
> authenticates, all others should be allowed, or should I read this as
> different hosts may plug into this port?
>
> Not sure ... just thinking out loud ... ;-)
>
> Andrew
>
>
>
>
>
>
> On Sun, Aug 23, 2009 at 7:09 PM, CCIE League <ccieleague_at_ymail.com> wrote:
>
> Thanks... still trying to fig out.... thanks Ryan for the doc...
> >
> >Q says multiple hosts connected to this interface f0/14.
> >Hosts fialing "authorisation" should go to vlan 99 also hosts without
> dot1x support goto vlan 99
> >
> >
> >
> >
> >
> >
> >
> ________________________________
> From: ALL From_NJ <all.from.nj_at_gmail.com>
> >To: Ryan West <rwest_at_zyedge.com>
> >Cc: Darby Weaver <darby.weaver_at_gmail.com>; CCIE League <
> ccieleague_at_ymail.com>; CCIEGS <ccielab_at_groupstudy.com>
> >Sent: Sunday, 23 August, 2009 23:45:20
> >
> >Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
> >
> >
> >(Was writing this when I saw Ryan's response ;-))
> >
> >In an odd way ... it kind of makes sense to me.
> >
> >Multi-host mode says that when any one single client, out of the many
> clients available, authenticates on the port, then authorize and enable the
> port on the network.
> >
> >The auth-fail command is saying that when a client fails authentication,
> they should be placed into a particular vlan. These two are not
> complimentary to each other since they could 'over ride' each other. Makes
> sense?
> >
> >Mr League, does the task ask you to support clients who do not support
> dot1x? Or not when they fail auth? etc ... Just curious as to what the
> task is asking for.
> >
> >HTH,
> >
> >Andrew Lee Lissitz
> >
> >
> >
> >
> >On Sun, Aug 23, 2009 at 6:37 PM, Ryan West <rwest_at_zyedge.com> wrote:
> >
> >Configuration guide is your friend:
> >>
> >>
> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/sw8021x.html#wp1179086
> >>
> >>It makes sense when you think about what it's trying to accomplish.
> >>
> >>-ryan
> >>
> >>
> >>-----Original Message-----
> >>From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Darby Weaver
> >>Sent: Sunday, August 23, 2009 6:27 PM
> >>To: CCIE League
> >>Cc: CCIEGS
> >>Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
> >>
> >>What version of IOS?
> >>
> >>I recall configuring this using multi-host without getting errors?
> >>
> >>On Sun, Aug 23, 2009 at 3:56 PM, CCIE League <ccieleague_at_ymail.com>
> wrote:
> >>
> >>> I am getting the following message when setting Auth fail VLAN where i
> have
> >>> to config multi-host support also.
> >>>
> >>>
> >>>
> >>> SW1(config-if)#dot1x auth-fail vlan 99
> >>>
> >>> Command rejected: Port is in multi-host mode
> >>>
> >>> Dot1x Auth-Fail-Vlan is not supported on multi-host mode
> >>>
> >>>
> >>> --------Config --------------
> >>> aaa new-model
> >>> aaa authentication dot1x default group radius
> >>>
> >>> dot1x system-auth-control
> >>> dot1x guest-vlan supplicant
> >>> !
> >>> interface FastEthernet0/14
> >>> switchport mode access
> >>> dot1x port-control auto
> >>> dot1x host-mode multi-host
> >>> dot1x guest-vlan 99
> >>> spanning-tree portfast
> >>>
> >>> ------------------------------------------------
> >>>
> >>>
> >>>
> >>>
> >>> Thanks for your help...
> >>>
> >>>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net