Re: dot1x missing? from -Hammer- on 2011-07-22 (Ccielab archives 07/2011)

From: -Hammer- <bhmccie_at_gmail.com>
Date: Fri, 22 Jul 2011 13:48:39 -0500

On older platforms the force-authorized is the default. I cannot confirm
that on the 3560. And I'm looking at a particular vendor lab where upon
applying it to the 3560 and doing a "show dot1x all" the Interface
reports that it is in force-authorized port-control. So I am attempting
on the same hardware to get the same result to validate my config
against the solution guide and am unable. It's gotta be a version
thing.... You guys have vetted the configs at least.

Cat3560-2(config-if)#
Cat3560-2(config-if)#int gi0/6
Cat3560-2(config-if)#dot1x port-control force-author
Cat3560-2(config-if)#do sho run int gi0/6
Building configuration...

Current configuration : 134 bytes
!
interface GigabitEthernet0/6
  description R6 Fa0/0
  switchport access vlan 567
  switchport mode access
  spanning-tree portfast
end

Cat3560-2(config-if)#do sho dot1x int gi0/6
Dot1x not configured on interface GigabitEthernet0/6

Cat3560-2(config-if)#

-Hammer-

"I was a normal American nerd"
-Jack Herer

On 07/22/2011 01:43 PM, Joseph L. Brunner wrote:
>
> Isn't the "force-authorized" state the default?
>
> What does
>
> Show dot1x all details
>
> Tell you?
>
> *From:* -Hammer- [mailto:bhmccie_at_gmail.com]
> *Sent:* Friday, July 22, 2011 2:38 PM
> *To:* marc abel
> *Cc:* Joseph L. Brunner; ccielab_at_groupstudy.com
> *Subject:* Re: dot1x missing?
>
> Hey Marc. It's there in the original post.
>
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 07/22/2011 01:35 PM, marc abel wrote:
>
> Maybe I'm missing it but I don't see
>
> dot1x system-auth-control
>
> in your global config.
>
> On Fri, Jul 22, 2011 at 1:25 PM, -Hammer-<bhmccie_at_gmail.com> <mailto:bhmccie_at_gmail.com> wrote:
>
>
> Ha! Hey Joe. Nice try but I already have it enabled. :)
>
>
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> Cat3560-2(config)#do sho run | in aaa
>
> aaa new-model
>
> aaa authentication login default none
>
> aaa authentication dot1x default group radius
>
> aaa session-id common
>
> Cat3560-2(config)#
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
>
>
> I'm clearly misunderstanding something. See below. I can apply
>
> "force-author" and nothing happens. I apply "auto" and it works. I go
>
> back and apply "force author" and it stops displaying again.
>
>
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> Cat3560-2(config-if)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 134 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> spanning-tree portfast
>
> end
>
>
>
> Cat3560-2(config-if)#int gi0/6
>
> Cat3560-2(config-if)#dot1x port force-author
>
> Cat3560-2(config-if)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 134 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> spanning-tree portfast
>
> end
>
>
>
> Cat3560-2(config-if)#dot1x port auto
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#
>
> 01:43:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>
> GigabitEthernet0/6, changed state to down
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 160 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> dot1x port-control auto
>
> spanning-tree portfast
>
> end
>
>
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#dot1x port force-author
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#
>
> 01:43:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>
> GigabitEthernet0/6, changed state to up
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 134 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> spanning-tree portfast
>
> end
>
>
>
> Cat3560-2(config-if)#
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
>
>
> -Hammer-
>
>
>
> "I was a normal American nerd"
>
> -Jack Herer
>
>
>
>
>
>
>
> On 07/22/2011 01:18 PM, Joseph L. Brunner wrote:
>
>
>
> Enabling it globally?
>
>
>
> Please hammer, don't hurt 'em!
>
>
>
> Aaa new-model
>
> Aaa authen dot1x default group radius
>
>
>
> dot1x system-auth-control
>
>
>
> Now you're "too legit to quit" and you "can touch this"
>
>
>
> -joe
>
>
>
> -----Original Message-----
>
> From:nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com] On Behalf Of -Hammer-
>
> Sent: Friday, July 22, 2011 1:53 PM
>
> To:ccielab_at_groupstudy.com <mailto:ccielab_at_groupstudy.com>
>
> Subject: dot1x missing?
>
>
>
> I know the trick that dot1x commands won't show up on an interface until
>
> it's in access but am I missing something else here?
>
> Port enabled
>
> Dot1x enabled
>
> port in access mode
>
> dot1x configuration to port - FAIL
>
>
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> Cat3560-2(config)#do sho run | in dot
>
> aaa authentication dot1x default group radius
>
> dot1x system-auth-control
>
> vlan dot1q tag native
>
> Cat3560-2(config)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 110 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> end
>
>
>
> Cat3560-2(config)#int gi0/6
>
> Cat3560-2(config-if)#dot1x port-control force-author
>
> Cat3560-2(config-if)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 110 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> end
>
>
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#do sho dot1x
>
> Sysauthcontrol = Enabled
>
> Supplicant Allowed In Guest Vlan = Disabled
>
> Dot1x Protocol Version = 1
>
> Dot1x Oper Controlled Directions = Both
>
> Dot1x Admin Controlled Directions = Both
>
>
>
> Cat3560-2(config-if)#do sho dot1x all
>
> No Dot1x Configuration exists
>
> Cat3560-2(config-if)#
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
>
>
>
>
>
>
> Blogs and organic groups athttp://www.ccie.net
>
>
>
> _______________________________________________________________________
>
> Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 22 2011 - 13:48:39 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:06 ART