Hammer,
I don't get what's the problem here.
"force-authorized" is a default setting so it may not be visible in the
config.
It disabled dot1x on the port so there will be "no dot1x configuration"
message - similarly to the port where you haven't configured anything yet.
If you want to see the output as it is in the workbook, start using the same
IOS version.
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2011/7/22 -Hammer- <bhmccie_at_gmail.com>
> It's in table 9-2 on the 3560 doc. 7th block down.
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 07/22/2011 01:34 PM, garry baker wrote:
> > some serious inconsistencies with dot1x configuration
> > the command 'dot1x port-control force-authorized' i cannot even find
> > in the configuration guide:
> >
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12
.2_25_see/configuration/guide/sw8021x.html#wp1186540
> > and of course there is the entire rework of it later on in the config
> > guide:
> >
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12
.2_58_se/configuration/guide/sw8021x.html#wp1468844
> >
> > Table 9-2 Authentication Manager Commands and Earlier 802.1x Commands
> >
> > authentication port-control {auto | force-authorized | force-un
> > authorized}
> >
> >
> >
> > *dot1x port-control {auto | force-authorized | force-unauthorized}*
> >
> >
> >
> > Enable manual control of the authorization state of the port.
> >
> > --
> > Garry L. Baker
> >
> > "With sufficient thrust, pigs fly just fine..." - RFC 1925
> >
> >
> >
> > On Fri, Jul 22, 2011 at 9:25 PM, -Hammer- <bhmccie_at_gmail.com
> > <mailto:bhmccie_at_gmail.com>> wrote:
> >
> > Ha! Hey Joe. Nice try but I already have it enabled. :)
> >
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > Cat3560-2(config)#do sho run | in aaa
> > aaa new-model
> > aaa authentication login default none
> > aaa authentication dot1x default group radius
> > aaa session-id common
> > Cat3560-2(config)#
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >
> > I'm clearly misunderstanding something. See below. I can apply
> > "force-author" and nothing happens. I apply "auto" and it works. I go
> > back and apply "force author" and it stops displaying again.
> >
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > Cat3560-2(config-if)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 134 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > spanning-tree portfast
> > end
> >
> > Cat3560-2(config-if)#int gi0/6
> > Cat3560-2(config-if)#dot1x port force-author
> > Cat3560-2(config-if)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 134 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > spanning-tree portfast
> > end
> >
> > Cat3560-2(config-if)#dot1x port auto
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#
> > 01:43:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> > GigabitEthernet0/6, changed state to down
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 160 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > dot1x port-control auto
> > spanning-tree portfast
> > end
> >
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#dot1x port force-author
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#
> > 01:43:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> > GigabitEthernet0/6, changed state to up
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 134 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > spanning-tree portfast
> > end
> >
> > Cat3560-2(config-if)#
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >
> > -Hammer-
> >
> > "I was a normal American nerd"
> > -Jack Herer
> >
> >
> >
> > On 07/22/2011 01:18 PM, Joseph L. Brunner wrote:
> > > Enabling it globally?
> > >
> > > Please hammer, don't hurt 'em!
> > >
> > > Aaa new-model
> > > Aaa authen dot1x default group radius
> > >
> > > dot1x system-auth-control
> > >
> > > Now you're "too legit to quit" and you "can touch this"
> > >
> > > -joe
> > >
> > > -----Original Message-----
> > > From: nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>
> > [mailto:nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>] On
> > Behalf Of -Hammer-
> > > Sent: Friday, July 22, 2011 1:53 PM
> > > To: ccielab_at_groupstudy.com <mailto:ccielab_at_groupstudy.com>
> > > Subject: dot1x missing?
> > >
> > > I know the trick that dot1x commands won't show up on an
> > interface until
> > > it's in access but am I missing something else here?
> > > Port enabled
> > > Dot1x enabled
> > > port in access mode
> > > dot1x configuration to port - FAIL
> > >
> > >
> >
>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
> > > Cat3560-2(config)#do sho run | in dot
> > > aaa authentication dot1x default group radius
> > > dot1x system-auth-control
> > > vlan dot1q tag native
> > > Cat3560-2(config)#do sho run int gi0/6
> > > Building configuration...
> > >
> > > Current configuration : 110 bytes
> > > !
> > > interface GigabitEthernet0/6
> > > description R6 Fa0/0
> > > switchport access vlan 567
> > > switchport mode access
> > > end
> > >
> > > Cat3560-2(config)#int gi0/6
> > > Cat3560-2(config-if)#dot1x port-control force-author
> > > Cat3560-2(config-if)#do sho run int gi0/6
> > > Building configuration...
> > >
> > > Current configuration : 110 bytes
> > > !
> > > interface GigabitEthernet0/6
> > > description R6 Fa0/0
> > > switchport access vlan 567
> > > switchport mode access
> > > end
> > >
> > > Cat3560-2(config-if)#
> > > Cat3560-2(config-if)#do sho dot1x
> > > Sysauthcontrol = Enabled
> > > Supplicant Allowed In Guest Vlan = Disabled
> > > Dot1x Protocol Version = 1
> > > Dot1x Oper Controlled Directions = Both
> > > Dot1x Admin Controlled Directions = Both
> > >
> > > Cat3560-2(config-if)#do sho dot1x all
> > > No Dot1x Configuration exists
> > > Cat3560-2(config-if)#
> > >
> >
>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
> >
> >
> > Blogs and organic groups at http://www.ccie.net <
> http://www.ccie.net/>
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 22 2011 - 22:03:19 ART