As fun as this was - you would save MUCH more time and gain much more
confidence working from a vendor workbook... sometimes I would read 96 pages
of cisco documentation for MANY HOURS and walk away unsure - only to have
Brian Dennis say more in 2 sentences in the IE workbook.
Just sayin'
From: -Hammer- [mailto:bhmccie_at_gmail.com]
Sent: Friday, July 22, 2011 2:49 PM
To: Joseph L. Brunner
Cc: marc abel; ccielab_at_groupstudy.com
Subject: Re: dot1x missing?
On older platforms the force-authorized is the default. I cannot confirm that
on the 3560. And I'm looking at a particular vendor lab where upon applying it
to the 3560 and doing a "show dot1x all" the Interface reports that it is in
force-authorized port-control. So I am attempting on the same hardware to get
the same result to validate my config against the solution guide and am
unable. It's gotta be a version thing.... You guys have vetted the configs at
least.
Cat3560-2(config-if)#
Cat3560-2(config-if)#int gi0/6
Cat3560-2(config-if)#dot1x port-control force-author
Cat3560-2(config-if)#do sho run int gi0/6
Building configuration...
Current configuration : 134 bytes
!
interface GigabitEthernet0/6
description R6 Fa0/0
switchport access vlan 567
switchport mode access
spanning-tree portfast
end
Cat3560-2(config-if)#do sho dot1x int gi0/6
Dot1x not configured on interface GigabitEthernet0/6
Cat3560-2(config-if)#
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 07/22/2011 01:43 PM, Joseph L. Brunner wrote:
Isn't the "force-authorized" state the default?
What does
Show dot1x all details
Tell you?
From: -Hammer- [mailto:bhmccie_at_gmail.com]
Sent: Friday, July 22, 2011 2:38 PM
To: marc abel
Cc: Joseph L. Brunner; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: Re: dot1x missing?
Hey Marc. It's there in the original post.
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 07/22/2011 01:35 PM, marc abel wrote:
Maybe I'm missing it but I don't see
dot1x system-auth-control
in your global config.
On Fri, Jul 22, 2011 at 1:25 PM, -Hammer-
<bhmccie_at_gmail.com><mailto:bhmccie_at_gmail.com> wrote:
Ha! Hey Joe. Nice try but I already have it enabled. :)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Cat3560-2(config)#do sho run | in aaa
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
aaa session-id common
Cat3560-2(config)#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I'm clearly misunderstanding something. See below. I can apply
"force-author" and nothing happens. I apply "auto" and it works. I go
back and apply "force author" and it stops displaying again.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Cat3560-2(config-if)#do sho run int gi0/6
Building configuration...
Current configuration : 134 bytes
!
interface GigabitEthernet0/6
description R6 Fa0/0
switchport access vlan 567
switchport mode access
spanning-tree portfast
end
Cat3560-2(config-if)#int gi0/6
Cat3560-2(config-if)#dot1x port force-author
Cat3560-2(config-if)#do sho run int gi0/6
Building configuration...
Current configuration : 134 bytes
!
interface GigabitEthernet0/6
description R6 Fa0/0
switchport access vlan 567
switchport mode access
spanning-tree portfast
end
Cat3560-2(config-if)#dot1x port auto
Cat3560-2(config-if)#
Cat3560-2(config-if)#
Cat3560-2(config-if)#
01:43:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/6, changed state to down
Cat3560-2(config-if)#
Cat3560-2(config-if)#do sho run int gi0/6
Building configuration...
Current configuration : 160 bytes
!
interface GigabitEthernet0/6
description R6 Fa0/0
switchport access vlan 567
switchport mode access
dot1x port-control auto
spanning-tree portfast
end
Cat3560-2(config-if)#
Cat3560-2(config-if)#dot1x port force-author
Cat3560-2(config-if)#
Cat3560-2(config-if)#
01:43:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/6, changed state to up
Cat3560-2(config-if)#
Cat3560-2(config-if)#do sho run int gi0/6
Building configuration...
Current configuration : 134 bytes
!
interface GigabitEthernet0/6
description R6 Fa0/0
switchport access vlan 567
switchport mode access
spanning-tree portfast
end
Cat3560-2(config-if)#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 07/22/2011 01:18 PM, Joseph L. Brunner wrote:
Enabling it globally?
Please hammer, don't hurt 'em!
Aaa new-model
Aaa authen dot1x default group radius
dot1x system-auth-control
Now you're "too legit to quit" and you "can touch this"
-joe
-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com] On Behalf Of -Hammer-
Sent: Friday, July 22, 2011 1:53 PM
To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: dot1x missing?
I know the trick that dot1x commands won't show up on an interface until
it's in access but am I missing something else here?
Port enabled
Dot1x enabled
port in access mode
dot1x configuration to port - FAIL
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
Cat3560-2(config)#do sho run | in dot
aaa authentication dot1x default group radius
dot1x system-auth-control
vlan dot1q tag native
Cat3560-2(config)#do sho run int gi0/6
Building configuration...
Current configuration : 110 bytes
!
interface GigabitEthernet0/6
description R6 Fa0/0
switchport access vlan 567
switchport mode access
end
Cat3560-2(config)#int gi0/6
Cat3560-2(config-if)#dot1x port-control force-author
Cat3560-2(config-if)#do sho run int gi0/6
Building configuration...
Current configuration : 110 bytes
!
interface GigabitEthernet0/6
description R6 Fa0/0
switchport access vlan 567
switchport mode access
end
Cat3560-2(config-if)#
Cat3560-2(config-if)#do sho dot1x
Sysauthcontrol = Enabled
Supplicant Allowed In Guest Vlan = Disabled
Dot1x Protocol Version = 1
Dot1x Oper Controlled Directions = Both
Dot1x Admin Controlled Directions = Both
Cat3560-2(config-if)#do sho dot1x all
No Dot1x Configuration exists
Cat3560-2(config-if)#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 22 2011 - 18:53:45 ART
This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:06 ART