Hey team,
Another question from a lab I did tonight.
If you have configured a guest vlan, and the client does not respond to
authentication requests it will fail over the this vlan. The debugs are
most interesting during this process. If anyone is labbing this, I found
this to be helpful to my learning.
BTW - for anyone wanting to see this, this is pretty easy to lab test. Just
configure dot1x on a device that does not support it, and configure a guest
vlan. Enable debugs and watch. Here are my configs (pardon the new
commands ... I recently upgraded everything)
interface GigabitEthernet0/9
switchport mode access
authentication event fail action authorize vlan 10
authentication event no-response action authorize vlan 11
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
end
Question - what happens if you type dot1x violation-mode shutdown? In my
lab, I tested this and it still fails over to the fail vlan. Not sure I
understand this ... after all, if you configure the violation mode to be
shutdown, why would the port stay up and become a member of a vlan?
Humm ...
Also, I believe the default violation mode is 'shutdown'. Can anyone
confirm this? I think this makes sense ... and it seems that the guest vlan
command over rides this violation mode command.
Many TIA,
-- Andrew Lee Lissitz all.from.nj_at_gmail.com Blogs and organic groups at http://www.ccie.netReceived on Sun Oct 18 2009 - 00:14:22 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART