Re: dot1x missing? from Piotr Matusiak on 2011-07-22 (Ccielab archives 07/2011)

From: Piotr Matusiak <pitt2k_at_gmail.com>
Date: Fri, 22 Jul 2011 22:13:39 +0200
Yes, when you're preparing for the lab, you must use exactly the same
software version to not be surprised with some issues like that.
To be honest, the code for dot1x has been changed several times in the past
few years and you cannot be sure if the same dot1x feature is there on
different platforms and if this behaves in the same way. Hopefully it is
more stable, consistent and streamlined in 12.2(55) and above.
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2011/7/22 -Hammer- <bhmccie_at_gmail.com>
> **
> Thanks Piotr. I've come to realize the version is the issue. I was
> expecting to be able to produce the same result as I was seeing in the
> workbook since I had the same platform and the versions weren't that far
> off. It was a mistake on my part.
>
> Betting on consistency with Cisco is just plain risky....
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
>  On 07/22/2011 03:03 PM, Piotr Matusiak wrote:
>
> Hammer,
>
> I don't get what's the problem here.
> "force-authorized" is a default setting so it may not be visible in the
> config.
> It disabled dot1x on the port so there will be "no dot1x configuration"
> message - similarly to the port where you haven't configured anything yet.
>
> If you want to see the output as it is in the workbook, start using the
> same IOS version.
>
> Regards,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705
> Technical Instructor
> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
> blog: www.ccie1.com
>
> If you can't explain it simply, you don't understand it well enough -
> Albert Einstein
>
>
> 2011/7/22 -Hammer- <bhmccie_at_gmail.com>
>
>> It's in table 9-2 on the 3560 doc. 7th block down.
>>
>> -Hammer-
>>
>> "I was a normal American nerd"
>> -Jack Herer
>>
>>
>>
>> On 07/22/2011 01:34 PM, garry baker wrote:
>> > some serious inconsistencies with dot1x configuration
>> > the command 'dot1x port-control force-authorized' i cannot even find
>> > in the configuration guide:
>> >
>>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12
.2_25_see/configuration/guide/sw8021x.html#wp1186540
>> > and of course there is the entire rework of it later on in the config
>> > guide:
>> >
>>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12
.2_58_se/configuration/guide/sw8021x.html#wp1468844
>> >
>> > Table 9-2 Authentication Manager Commands and Earlier 802.1x Commands
>> >
>> > authentication port-control {auto | force-authorized | force-un
>> > authorized}
>> >
>> >
>> >
>> > *dot1x port-control {auto | force-authorized | force-unauthorized}*
>> >
>> >
>> >
>> > Enable manual control of the authorization state of the port.
>> >
>> > --
>> > Garry L. Baker
>> >
>> > "With sufficient thrust, pigs fly just fine..." - RFC 1925
>> >
>> >
>> >
>> > On Fri, Jul 22, 2011 at 9:25 PM, -Hammer- <bhmccie_at_gmail.com
>>  > <mailto:bhmccie_at_gmail.com>> wrote:
>> >
>> >     Ha! Hey Joe. Nice try but I already have it enabled. :)
>> >
>> >     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> >     Cat3560-2(config)#do sho run | in aaa
>> >     aaa new-model
>> >     aaa authentication login default none
>> >     aaa authentication dot1x default group radius
>> >     aaa session-id common
>> >     Cat3560-2(config)#
>> >     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> >
>> >     I'm clearly misunderstanding something.  See below. I can apply
>> >     "force-author" and nothing happens. I apply "auto" and it works. I
>> go
>> >     back and apply "force author" and it stops displaying again.
>> >
>> >     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> >     Cat3560-2(config-if)#do sho run int gi0/6
>> >     Building configuration...
>> >
>> >     Current configuration : 134 bytes
>> >     !
>> >     interface GigabitEthernet0/6
>> >      description R6 Fa0/0
>> >      switchport access vlan 567
>> >      switchport mode access
>> >      spanning-tree portfast
>> >     end
>> >
>> >     Cat3560-2(config-if)#int gi0/6
>> >     Cat3560-2(config-if)#dot1x port force-author
>> >     Cat3560-2(config-if)#do sho run int gi0/6
>> >     Building configuration...
>> >
>> >     Current configuration : 134 bytes
>> >     !
>> >     interface GigabitEthernet0/6
>> >      description R6 Fa0/0
>> >      switchport access vlan 567
>> >      switchport mode access
>> >      spanning-tree portfast
>> >     end
>> >
>> >     Cat3560-2(config-if)#dot1x port auto
>> >     Cat3560-2(config-if)#
>> >     Cat3560-2(config-if)#
>> >     Cat3560-2(config-if)#
>> >     01:43:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> >     GigabitEthernet0/6, changed state to down
>> >     Cat3560-2(config-if)#
>> >     Cat3560-2(config-if)#do sho run int gi0/6
>> >     Building configuration...
>> >
>> >     Current configuration : 160 bytes
>> >     !
>> >     interface GigabitEthernet0/6
>> >      description R6 Fa0/0
>> >      switchport access vlan 567
>> >      switchport mode access
>> >      dot1x port-control auto
>> >      spanning-tree portfast
>> >     end
>> >
>> >     Cat3560-2(config-if)#
>> >     Cat3560-2(config-if)#dot1x port force-author
>> >     Cat3560-2(config-if)#
>> >     Cat3560-2(config-if)#
>> >     01:43:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> >     GigabitEthernet0/6, changed state to up
>> >     Cat3560-2(config-if)#
>> >     Cat3560-2(config-if)#do sho run int gi0/6
>> >     Building configuration...
>> >
>> >     Current configuration : 134 bytes
>> >     !
>> >     interface GigabitEthernet0/6
>> >      description R6 Fa0/0
>> >      switchport access vlan 567
>> >      switchport mode access
>> >      spanning-tree portfast
>> >     end
>> >
>> >     Cat3560-2(config-if)#
>> >     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> >
>> >     -Hammer-
>> >
>> >     "I was a normal American nerd"
>> >     -Jack Herer
>> >
>> >
>> >
>> >     On 07/22/2011 01:18 PM, Joseph L. Brunner wrote:
>> >     > Enabling it globally?
>> >     >
>> >     > Please hammer, don't hurt 'em!
>> >     >
>> >     > Aaa new-model
>> >     > Aaa authen dot1x default group radius
>> >     >
>> >     > dot1x system-auth-control
>> >     >
>> >     > Now you're "too legit to quit" and you "can touch this"
>> >     >
>> >     > -joe
>> >     >
>> >     > -----Original Message-----
>> >     > From: nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>
>> >     [mailto:nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>] On
>> >     Behalf Of -Hammer-
>> >     > Sent: Friday, July 22, 2011 1:53 PM
>> >     > To: ccielab_at_groupstudy.com <mailto:ccielab_at_groupstudy.com>
>>  >     > Subject: dot1x missing?
>> >     >
>> >     > I know the trick that dot1x commands won't show up on an
>> >     interface until
>> >     > it's in access but am I missing something else here?
>> >     > Port enabled
>> >     > Dot1x enabled
>> >     > port in access mode
>> >     > dot1x configuration to port - FAIL
>> >     >
>> >     >
>> >
>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
>> >     > Cat3560-2(config)#do sho run | in dot
>> >     > aaa authentication dot1x default group radius
>> >     > dot1x system-auth-control
>> >     > vlan dot1q tag native
>> >     > Cat3560-2(config)#do sho run int gi0/6
>> >     > Building configuration...
>> >     >
>> >     > Current configuration : 110 bytes
>> >     > !
>> >     > interface GigabitEthernet0/6
>> >     >    description R6 Fa0/0
>> >     >    switchport access vlan 567
>> >     >    switchport mode access
>> >     > end
>> >     >
>> >     > Cat3560-2(config)#int gi0/6
>> >     > Cat3560-2(config-if)#dot1x port-control force-author
>> >     > Cat3560-2(config-if)#do sho run int gi0/6
>> >     > Building configuration...
>> >     >
>> >     > Current configuration : 110 bytes
>> >     > !
>> >     > interface GigabitEthernet0/6
>> >     >    description R6 Fa0/0
>> >     >    switchport access vlan 567
>> >     >    switchport mode access
>> >     > end
>> >     >
>> >     > Cat3560-2(config-if)#
>> >     > Cat3560-2(config-if)#do sho dot1x
>> >     > Sysauthcontrol                    = Enabled
>> >     > Supplicant Allowed In Guest Vlan  = Disabled
>> >     > Dot1x Protocol Version            = 1
>> >     > Dot1x Oper Controlled Directions  = Both
>> >     > Dot1x Admin Controlled Directions = Both
>> >     >
>> >     > Cat3560-2(config-if)#do sho dot1x all
>> >     > No Dot1x Configuration exists
>> >     > Cat3560-2(config-if)#
>> >     >
>> >
>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
>> >
>> >
>> >     Blogs and organic groups at http://www.ccie.net <
>> http://www.ccie.net/>
>>  >
>> >
>> _______________________________________________________________________
>> >     Subscription information may be found at:
>> >     http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 22 2011 - 22:13:39 ART
This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:06 ART