Re: dot1x missing? from garry baker on 2011-07-22 (Ccielab archives 07/2011)

From: garry baker <baker.garry_at_gmail.com>
Date: Fri, 22 Jul 2011 21:34:47 +0300

some serious inconsistencies with dot1x configuration

the command 'dot1x port-control force-authorized' i cannot even find in the
configuration guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/sw8021x.html#wp1186540
and of course there is the entire rework of it later on in the config guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/sw8021x.html#wp1468844

Table 9-2 Authentication Manager Commands and Earlier 802.1x Commands

authentication port-control {auto | force-authorized | force-un authorized}

*dot1x port-control {auto | force-authorized | force-unauthorized}*

Enable manual control of the authorization state of the port.

--
Garry L. Baker

"With sufficient thrust, pigs fly just fine..." - RFC 1925

On Fri, Jul 22, 2011 at 9:25 PM, -Hammer- <bhmccie_at_gmail.com> wrote:

> Ha! Hey Joe. Nice try but I already have it enabled. :)
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Cat3560-2(config)#do sho run | in aaa
> aaa new-model
> aaa authentication login default none
> aaa authentication dot1x default group radius
> aaa session-id common
> Cat3560-2(config)#
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> I'm clearly misunderstanding something. See below. I can apply
> "force-author" and nothing happens. I apply "auto" and it works. I go
> back and apply "force author" and it stops displaying again.
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 134 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#int gi0/6
> Cat3560-2(config-if)#dot1x port force-author
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 134 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#dot1x port auto
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#
> 01:43:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet0/6, changed state to down
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 160 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> dot1x port-control auto
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#dot1x port force-author
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#
> 01:43:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet0/6, changed state to up
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 134 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 07/22/2011 01:18 PM, Joseph L. Brunner wrote:
> > Enabling it globally?
> >
> > Please hammer, don't hurt 'em!
> >
> > Aaa new-model
> > Aaa authen dot1x default group radius
> >
> > dot1x system-auth-control
> >
> > Now you're "too legit to quit" and you "can touch this"
> >
> > -joe
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> -Hammer-
> > Sent: Friday, July 22, 2011 1:53 PM
> > To: ccielab_at_groupstudy.com
> > Subject: dot1x missing?
> >
> > I know the trick that dot1x commands won't show up on an interface until
> > it's in access but am I missing something else here?
> > Port enabled
> > Dot1x enabled
> > port in access mode
> > dot1x configuration to port - FAIL
> >
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > Cat3560-2(config)#do sho run | in dot
> > aaa authentication dot1x default group radius
> > dot1x system-auth-control
> > vlan dot1q tag native
> > Cat3560-2(config)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 110 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > end
> >
> > Cat3560-2(config)#int gi0/6
> > Cat3560-2(config-if)#dot1x port-control force-author
> > Cat3560-2(config-if)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 110 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > end
> >
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#do sho dot1x
> > Sysauthcontrol = Enabled
> > Supplicant Allowed In Guest Vlan = Disabled
> > Dot1x Protocol Version = 1
> > Dot1x Oper Controlled Directions = Both
> > Dot1x Admin Controlled Directions = Both
> >
> > Cat3560-2(config-if)#do sho dot1x all
> > No Dot1x Configuration exists
> > Cat3560-2(config-if)#
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 22 2011 - 21:34:47 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:06 ART