Re: dot1x missing?

Thanks Piotr. I've come to realize the version is the issue. I was
expecting to be able to produce the same result as I was seeing in the
workbook since I had the same platform and the versions weren't that far
off. It was a mistake on my part.

Betting on consistency with Cisco is just plain risky....

-Hammer-

"I was a normal American nerd"
-Jack Herer

On 07/22/2011 03:03 PM, Piotr Matusiak wrote:
> Hammer,
> I don't get what's the problem here.
> "force-authorized" is a default setting so it may not be visible in
> the config.
> It disabled dot1x on the port so there will be "no dot1x
> configuration" message - similarly to the port where you haven't
> configured anything yet.
> If you want to see the output as it is in the workbook, start using
> the same IOS version.
> Regards,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705
> Technical Instructor
> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
> blog: www.ccie1.com <http://www.ccie1.com/>
>
> If you can't explain it simply, you don't understand it well enough
> - Albert Einstein
>
>
> 2011/7/22 -Hammer- <bhmccie_at_gmail.com <mailto:bhmccie_at_gmail.com>>
>
> It's in table 9-2 on the 3560 doc. 7th block down.
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 07/22/2011 01:34 PM, garry baker wrote:
> > some serious inconsistencies with dot1x configuration
> > the command 'dot1x port-control force-authorized' i cannot even find
> > in the configuration guide:
> >
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/sw8021x.html#wp1186540
> > and of course there is the entire rework of it later on in the
> config
> > guide:
> >
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/sw8021x.html#wp1468844
> >
> > Table 9-2 Authentication Manager Commands and Earlier 802.1x
> Commands
> >
> > authentication port-control {auto | force-authorized | force-un
> > authorized}
> >
> >
> >
> > *dot1x port-control {auto | force-authorized | force-unauthorized}*
> >
> >
> >
> > Enable manual control of the authorization state of the port.
> >
> > --
> > Garry L. Baker
> >
> > "With sufficient thrust, pigs fly just fine..." - RFC 1925
> >
> >
> >
> > On Fri, Jul 22, 2011 at 9:25 PM, -Hammer- <bhmccie_at_gmail.com
> <mailto:bhmccie_at_gmail.com>
> > <mailto:bhmccie_at_gmail.com <mailto:bhmccie_at_gmail.com>>> wrote:
> >
> > Ha! Hey Joe. Nice try but I already have it enabled. :)
> >
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > Cat3560-2(config)#do sho run | in aaa
> > aaa new-model
> > aaa authentication login default none
> > aaa authentication dot1x default group radius
> > aaa session-id common
> > Cat3560-2(config)#
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >
> > I'm clearly misunderstanding something. See below. I can apply
> > "force-author" and nothing happens. I apply "auto" and it
> works. I go
> > back and apply "force author" and it stops displaying again.
> >
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > Cat3560-2(config-if)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 134 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > spanning-tree portfast
> > end
> >
> > Cat3560-2(config-if)#int gi0/6
> > Cat3560-2(config-if)#dot1x port force-author
> > Cat3560-2(config-if)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 134 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > spanning-tree portfast
> > end
> >
> > Cat3560-2(config-if)#dot1x port auto
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#
> > 01:43:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> > GigabitEthernet0/6, changed state to down
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 160 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > dot1x port-control auto
> > spanning-tree portfast
> > end
> >
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#dot1x port force-author
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#
> > 01:43:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> > GigabitEthernet0/6, changed state to up
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 134 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > spanning-tree portfast
> > end
> >
> > Cat3560-2(config-if)#
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >
> > -Hammer-
> >
> > "I was a normal American nerd"
> > -Jack Herer
> >
> >
> >
> > On 07/22/2011 01:18 PM, Joseph L. Brunner wrote:
> > > Enabling it globally?
> > >
> > > Please hammer, don't hurt 'em!
> > >
> > > Aaa new-model
> > > Aaa authen dot1x default group radius
> > >
> > > dot1x system-auth-control
> > >
> > > Now you're "too legit to quit" and you "can touch this"
> > >
> > > -joe
> > >
> > > -----Original Message-----
> > > From: nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>
> <mailto:nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>>
> > [mailto:nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>
> <mailto:nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>>] On
> > Behalf Of -Hammer-
> > > Sent: Friday, July 22, 2011 1:53 PM
> > > To: ccielab_at_groupstudy.com <mailto:ccielab_at_groupstudy.com>
> <mailto:ccielab_at_groupstudy.com <mailto:ccielab_at_groupstudy.com>>
> > > Subject: dot1x missing?
> > >
> > > I know the trick that dot1x commands won't show up on an
> > interface until
> > > it's in access but am I missing something else here?
> > > Port enabled
> > > Dot1x enabled
> > > port in access mode
> > > dot1x configuration to port - FAIL
> > >
> > >
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > > Cat3560-2(config)#do sho run | in dot
> > > aaa authentication dot1x default group radius
> > > dot1x system-auth-control
> > > vlan dot1q tag native
> > > Cat3560-2(config)#do sho run int gi0/6
> > > Building configuration...
> > >
> > > Current configuration : 110 bytes
> > > !
> > > interface GigabitEthernet0/6
> > > description R6 Fa0/0
> > > switchport access vlan 567
> > > switchport mode access
> > > end
> > >
> > > Cat3560-2(config)#int gi0/6
> > > Cat3560-2(config-if)#dot1x port-control force-author
> > > Cat3560-2(config-if)#do sho run int gi0/6
> > > Building configuration...
> > >
> > > Current configuration : 110 bytes
> > > !
> > > interface GigabitEthernet0/6
> > > description R6 Fa0/0
> > > switchport access vlan 567
> > > switchport mode access
> > > end
> > >
> > > Cat3560-2(config-if)#
> > > Cat3560-2(config-if)#do sho dot1x
> > > Sysauthcontrol = Enabled
> > > Supplicant Allowed In Guest Vlan = Disabled
> > > Dot1x Protocol Version = 1
> > > Dot1x Oper Controlled Directions = Both
> > > Dot1x Admin Controlled Directions = Both
> > >
> > > Cat3560-2(config-if)#do sho dot1x all
> > > No Dot1x Configuration exists
> > > Cat3560-2(config-if)#
> > >
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> <http://www.ccie.net/> <http://www.ccie.net/>
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 22 2011 - 15:06:55 ART