Re: dot1x missing? from -Hammer- on 2011-07-22 (Ccielab archives 07/2011)

From: -Hammer- <bhmccie_at_gmail.com>
Date: Fri, 22 Jul 2011 13:57:38 -0500

I agree. I'm referencing the solution for IPExpert Vol1 Lab2 Task 1.10.
The Task is on Cat2 which is a 3560. Same as what I'm using. Yet they
get the expected results and I am not. Theirs is an older 3560 with FE
ports instead of GE ports (like mine) but I still can't figure it out.

The bottom line is that even if my output doesn't make sense my
configuration was not the issue. I'll dive into it more but I'm not
gonna kill myself over it.

Thanks for everyones help....

-Hammer-

"I was a normal American nerd"
-Jack Herer

On 07/22/2011 01:53 PM, Joseph L. Brunner wrote:
>
> As fun as this was -- you would save MUCH more time and gain much more
> confidence working from a vendor workbook... sometimes I would read 96
> pages of cisco documentation for MANY HOURS and walk away unsure --
> only to have Brian Dennis say more in 2 sentences in the IE workbook.
>
> Just sayin'
>
> *From:* -Hammer- [mailto:bhmccie_at_gmail.com]
> *Sent:* Friday, July 22, 2011 2:49 PM
> *To:* Joseph L. Brunner
> *Cc:* marc abel; ccielab_at_groupstudy.com
> *Subject:* Re: dot1x missing?
>
> On older platforms the force-authorized is the default. I cannot
> confirm that on the 3560. And I'm looking at a particular vendor lab
> where upon applying it to the 3560 and doing a "show dot1x all" the
> Interface reports that it is in force-authorized port-control. So I am
> attempting on the same hardware to get the same result to validate my
> config against the solution guide and am unable. It's gotta be a
> version thing.... You guys have vetted the configs at least.
>
>
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#int gi0/6
> Cat3560-2(config-if)#dot1x port-control force-author
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 134 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#do sho dot1x int gi0/6
> Dot1x not configured on interface GigabitEthernet0/6
>
> Cat3560-2(config-if)#
>
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 07/22/2011 01:43 PM, Joseph L. Brunner wrote:
>
> Isn't the "force-authorized" state the default?
>
> What does
>
> Show dot1x all details
>
> Tell you?
>
> *From:* -Hammer- [mailto:bhmccie_at_gmail.com]
> *Sent:* Friday, July 22, 2011 2:38 PM
> *To:* marc abel
> *Cc:* Joseph L. Brunner; ccielab_at_groupstudy.com
> <mailto:ccielab_at_groupstudy.com>
> *Subject:* Re: dot1x missing?
>
> Hey Marc. It's there in the original post.
>
>
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 07/22/2011 01:35 PM, marc abel wrote:
>
> Maybe I'm missing it but I don't see
>
> dot1x system-auth-control
>
> in your global config.
>
> On Fri, Jul 22, 2011 at 1:25 PM, -Hammer-<bhmccie_at_gmail.com> <mailto:bhmccie_at_gmail.com> wrote:
>
>
> Ha! Hey Joe. Nice try but I already have it enabled. :)
>
>
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> Cat3560-2(config)#do sho run | in aaa
>
> aaa new-model
>
> aaa authentication login default none
>
> aaa authentication dot1x default group radius
>
> aaa session-id common
>
> Cat3560-2(config)#
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
>
>
> I'm clearly misunderstanding something. See below. I can apply
>
> "force-author" and nothing happens. I apply "auto" and it works. I go
>
> back and apply "force author" and it stops displaying again.
>
>
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> Cat3560-2(config-if)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 134 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> spanning-tree portfast
>
> end
>
>
>
> Cat3560-2(config-if)#int gi0/6
>
> Cat3560-2(config-if)#dot1x port force-author
>
> Cat3560-2(config-if)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 134 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> spanning-tree portfast
>
> end
>
>
>
> Cat3560-2(config-if)#dot1x port auto
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#
>
> 01:43:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>
> GigabitEthernet0/6, changed state to down
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 160 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> dot1x port-control auto
>
> spanning-tree portfast
>
> end
>
>
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#dot1x port force-author
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#
>
> 01:43:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>
> GigabitEthernet0/6, changed state to up
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 134 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> spanning-tree portfast
>
> end
>
>
>
> Cat3560-2(config-if)#
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
>
>
> -Hammer-
>
>
>
> "I was a normal American nerd"
>
> -Jack Herer
>
>
>
>
>
>
>
> On 07/22/2011 01:18 PM, Joseph L. Brunner wrote:
>
>
>
> Enabling it globally?
>
>
>
> Please hammer, don't hurt 'em!
>
>
>
> Aaa new-model
>
> Aaa authen dot1x default group radius
>
>
>
> dot1x system-auth-control
>
>
>
> Now you're "too legit to quit" and you "can touch this"
>
>
>
> -joe
>
>
>
> -----Original Message-----
>
> From:nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com] On Behalf Of -Hammer-
>
> Sent: Friday, July 22, 2011 1:53 PM
>
> To:ccielab_at_groupstudy.com <mailto:ccielab_at_groupstudy.com>
>
> Subject: dot1x missing?
>
>
>
> I know the trick that dot1x commands won't show up on an interface until
>
> it's in access but am I missing something else here?
>
> Port enabled
>
> Dot1x enabled
>
> port in access mode
>
> dot1x configuration to port - FAIL
>
>
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> Cat3560-2(config)#do sho run | in dot
>
> aaa authentication dot1x default group radius
>
> dot1x system-auth-control
>
> vlan dot1q tag native
>
> Cat3560-2(config)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 110 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> end
>
>
>
> Cat3560-2(config)#int gi0/6
>
> Cat3560-2(config-if)#dot1x port-control force-author
>
> Cat3560-2(config-if)#do sho run int gi0/6
>
> Building configuration...
>
>
>
> Current configuration : 110 bytes
>
> !
>
> interface GigabitEthernet0/6
>
> description R6 Fa0/0
>
> switchport access vlan 567
>
> switchport mode access
>
> end
>
>
>
> Cat3560-2(config-if)#
>
> Cat3560-2(config-if)#do sho dot1x
>
> Sysauthcontrol = Enabled
>
> Supplicant Allowed In Guest Vlan = Disabled
>
> Dot1x Protocol Version = 1
>
> Dot1x Oper Controlled Directions = Both
>
> Dot1x Admin Controlled Directions = Both
>
>
>
> Cat3560-2(config-if)#do sho dot1x all
>
> No Dot1x Configuration exists
>
> Cat3560-2(config-if)#
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
>
>
>
>
>
>
> Blogs and organic groups athttp://www.ccie.net
>
>
>
> _______________________________________________________________________
>
> Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 22 2011 - 13:57:38 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:06 ART