RE: Dot1x Auth-Fail-Vlan is not supported on multi-host mode

Why are you looking up bugs for a documented feature that's behaving exactly
how the Doc indicates?

-ryan

From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
Sent: Monday, August 24, 2009 7:08 AM
To: CCIE League
Cc: ALL From_NJ; Ryan West; Darby Weaver; CCIEGS
Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode

All DDTS below seem to have been opened on c2800, not to mention opened back
in 2007 :-)

It might be related to the hardware you are using, League. The 3550 has very
limited functionality for 802.1X config to be honest. I was even suprised to
see you were able to configure multi-host mode on it. And I would not be
suprised if its only configurable and NOT supported. When you have some time,
do some more digging up to find out.

But practically speaking anyway, I think the AUTH-FAIL and GUEST VLAN features
are not supported with the multi-host mode. My reason is because these Cisco
switches today only support a single access VLAN on an non-trunking port. You
can have a multi VLAN access port and configure a voice VLAN, but this is only
useful for Cisco IP phones anyway (unless you tweat your PC to send in tagged
frames anyway).

SO because an access port only supports a single VLAN, how can you have VLAN1
(as configured above, or a dynamic VLAN send down via RADIUS), as well as an
AuthFail (or Guest) VLAN (which seems to be VLAN99 on the config above) also
configured on the port?

Anyway, ope this does not confuse you more here.

Sadiq
On Mon, Aug 24, 2009 at 1:07 AM, CCIE League
<ccieleague_at_ymail.com<mailto:ccieleague_at_ymail.com>> wrote:
After doing little R&D i found.. Known caveats associated with Authentication
Fail VLAN are documented with CSCsj80588, CSCsj51624, and CSCsj55636

------------------------

When searched for these CSC... it got

--------------------------------
CSCsb77186 Bug Details

Information contained within bug ID CSCsb77186 is only available to Cisco
employees. It is our policy to make all externally-facing bugs available in
Bug Toolkit so the system administrators have been automatically alerted to
the problem. By choosing to save this bug, you may be notified when the
decision to make this bug available to you has been made. Note: Some product
enhancement requests and documentation error bugs may not be available in Bug
Toolkit.

--------------------------

:)

moving on.. .already spent too much time.... let's see if get a response form
dear vendors...

Thanks for helpin....

________________________________
From: ALL From_NJ <all.from.nj_at_gmail.com<mailto:all.from.nj_at_gmail.com>>
To: CCIE League <ccieleague_at_ymail.com<mailto:ccieleague_at_ymail.com>>
Cc: Ryan West <rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>>; Darby Weaver
<darby.weaver_at_gmail.com<mailto:darby.weaver_at_gmail.com>>; CCIEGS
<ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
Sent: Monday, 24 August, 2009 0:24:08
Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode

Maybe one of the vendors can comment, but even though it states multiple hosts
will be connected to the port, it does not say that multi-host mode should be
used.

The labs I have been working on, normally say something like "allow all hosts
access when only one host authenticates" ... something like this to indicate
multi-host mode.

Sounds like you might need only single host mode. Although, I would also
agree that the task is worded in such a way to suggest multiple hosts.

Would be interested to hear one of the vendor guys speak, but as you found,
the configs are not compatible. After it fails, might be a good time to
formulate a questions and ask a proctor.

Something like - should I read this question to indicate that if one host
authenticates, all others should be allowed, or should I read this as
different hosts may plug into this port?

Not sure ... just thinking out loud ... ;-)

Andrew

On Sun, Aug 23, 2009 at 7:09 PM, CCIE League
<ccieleague_at_ymail.com<mailto:ccieleague_at_ymail.com>> wrote:

Thanks... still trying to fig out.... thanks Ryan for the doc...
>
>Q says multiple hosts connected to this interface f0/14.
>Hosts fialing "authorisation" should go to vlan 99 also hosts without dot1x
support goto vlan 99
>
>
>
>
>
>
>
________________________________
From: ALL From_NJ <all.from.nj_at_gmail.com<mailto:all.from.nj_at_gmail.com>>
>To: Ryan West <rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>>
>Cc: Darby Weaver <darby.weaver_at_gmail.com<mailto:darby.weaver_at_gmail.com>>;
CCIE League <ccieleague_at_ymail.com<mailto:ccieleague_at_ymail.com>>; CCIEGS
<ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
>Sent: Sunday, 23 August, 2009 23:45:20
>
>Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>
>
>(Was writing this when I saw Ryan's response ;-))
>
>In an odd way ... it kind of makes sense to me.
>
>Multi-host mode says that when any one single client, out of the many clients
available, authenticates on the port, then authorize and enable the port on
the network.
>
>The auth-fail command is saying that when a client fails authentication, they
should be placed into a particular vlan. These two are not complimentary to
each other since they could 'over ride' each other. Makes sense?
>
>Mr League, does the task ask you to support clients who do not support dot1x?
Or not when they fail auth? etc ... Just curious as to what the task is
asking for.
>
>HTH,
>
>Andrew Lee Lissitz
>
>
>
>
>On Sun, Aug 23, 2009 at 6:37 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
>
>Configuration guide is your friend:
>>
>>http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/
release/12.2_25_see/configuration/guide/sw8021x.html#wp1179086
>>
>>It makes sense when you think about what it's trying to accomplish.
>>
>>-ryan
>>
>>
>>-----Original Message-----
>>From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
Darby Weaver
>>Sent: Sunday, August 23, 2009 6:27 PM
>>To: CCIE League
>>Cc: CCIEGS
>>Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>>
>>What version of IOS?
>>
>>I recall configuring this using multi-host without getting errors?
>>
>>On Sun, Aug 23, 2009 at 3:56 PM, CCIE League
<ccieleague_at_ymail.com<mailto:ccieleague_at_ymail.com>> wrote:
>>
>>> I am getting the following message when setting Auth fail VLAN where i
have
>>> to config multi-host support also.
>>>
>>>
>>>
>>> SW1(config-if)#dot1x auth-fail vlan 99
>>>
>>> Command rejected: Port is in multi-host mode
>>>
>>> Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>>>
>>>
>>> --------Config --------------
>>> aaa new-model
>>> aaa authentication dot1x default group radius
>>>
>>> dot1x system-auth-control
>>> dot1x guest-vlan supplicant
>>> !
>>> interface FastEthernet0/14
>>> switchport mode access
>>> dot1x port-control auto
>>> dot1x host-mode multi-host
>>> dot1x guest-vlan 99
>>> spanning-tree portfast
>>>
>>> ------------------------------------------------
>>>
>>>
>>>
>>>
>>> Thanks for your help...
>>>
>>>

--
Andrew Lee Lissitz
all.from.nj_at_gmail.com<mailto:all.from.nj_at_gmail.com>
Blogs and organic groups at http://www.ccie.net