Re: dot1x missing?

I have one in my configuration but this is strictly labbing so it's not
reachable. I can't figure out why I can set "auto" and see it and set
"force-author" and not.

PS: if I set it to auto and do a "sho sho dot1x int gi0/6" I get output.
If I do the same command with the "force-author" applied (but not
visible) it tells me that dot1x is not configured. Clearly the IOS is
not accepting the command but I can't figure out what I am missing to
force it.

radius-server host 150.100.220.100 auth-port 1645 acct-port 1646 key 7
0706314956191C170352
radius-server source-ports 1645-1646
!

-Hammer-

"I was a normal American nerd"
-Jack Herer

On 07/22/2011 01:26 PM, Joseph L. Brunner wrote:
>
> Do you actually have a radius server configured ?
>
> *From:* -Hammer- [mailto:bhmccie_at_gmail.com]
> *Sent:* Friday, July 22, 2011 2:25 PM
> *To:* Joseph L. Brunner
> *Cc:* ccielab_at_groupstudy.com
> *Subject:* Re: dot1x missing?
>
> Ha! Hey Joe. Nice try but I already have it enabled. :)
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Cat3560-2(config)#do sho run | in aaa
> aaa new-model
> aaa authentication login default none
> aaa authentication dot1x default group radius
> aaa session-id common
> Cat3560-2(config)#
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> I'm clearly misunderstanding something. See below. I can apply
> "force-author" and nothing happens. I apply "auto" and it works. I go
> back and apply "force author" and it stops displaying again.
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 134 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#int gi0/6
> Cat3560-2(config-if)#dot1x port force-author
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 134 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#dot1x port auto
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#
> 01:43:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet0/6, changed state to down
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 160 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> dot1x port-control auto
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#dot1x port force-author
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#
> 01:43:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet0/6, changed state to up
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 134 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 07/22/2011 01:18 PM, Joseph L. Brunner wrote:
>
> Enabling it globally?
>
> Please hammer, don't hurt 'em!
>
> Aaa new-model
> Aaa authen dot1x default group radius
>
> dot1x system-auth-control
>
> Now you're "too legit to quit" and you "can touch this"
>
> -joe
>
> -----Original Message-----
> From:nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com] On Behalf Of -Hammer-
> Sent: Friday, July 22, 2011 1:53 PM
> To:ccielab_at_groupstudy.com <mailto:ccielab_at_groupstudy.com>
> Subject: dot1x missing?
>
> I know the trick that dot1x commands won't show up on an interface until
> it's in access but am I missing something else here?
> Port enabled
> Dot1x enabled
> port in access mode
> dot1x configuration to port - FAIL
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Cat3560-2(config)#do sho run | in dot
> aaa authentication dot1x default group radius
> dot1x system-auth-control
> vlan dot1q tag native
> Cat3560-2(config)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 110 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> end
>
> Cat3560-2(config)#int gi0/6
> Cat3560-2(config-if)#dot1x port-control force-author
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 110 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> end
>
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#do sho dot1x
> Sysauthcontrol = Enabled
> Supplicant Allowed In Guest Vlan = Disabled
> Dot1x Protocol Version = 1
> Dot1x Oper Controlled Directions = Both
> Dot1x Admin Controlled Directions = Both
>
> Cat3560-2(config-if)#do sho dot1x all
> No Dot1x Configuration exists
> Cat3560-2(config-if)#
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 22 2011 - 13:34:11 ART