Re: dot1x missing? from Sadiq Yakasai on 2011-07-25 (Ccielab archives 07/2011)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Mon, 25 Jul 2011 10:46:45 +0100

Same code version usually helps a little with dot1x on Cisco :-)

Otherwise, some long hours of inconsistencies may start to crop up.

Sadiq

On Fri, Jul 22, 2011 at 9:13 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:

> Yes, when you're preparing for the lab, you must use exactly the same
> software version to not be surprised with some issues like that.
>
> To be honest, the code for dot1x has been changed several times in the past
> few years and you cannot be sure if the same dot1x feature is there on
> different platforms and if this behaves in the same way. Hopefully it is
> more stable, consistent and streamlined in 12.2(55) and above.
>
> Regards,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705
> Technical Instructor
> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
> blog: www.ccie1.com
>
> If you can't explain it simply, you don't understand it well enough -
> Albert Einstein
>
>
> 2011/7/22 -Hammer- <bhmccie_at_gmail.com>
>
> > **
> > Thanks Piotr. I've come to realize the version is the issue. I was
> > expecting to be able to produce the same result as I was seeing in the
> > workbook since I had the same platform and the versions weren't that far
> > off. It was a mistake on my part.
> >
> > Betting on consistency with Cisco is just plain risky....
> >
> > -Hammer-
> >
> > "I was a normal American nerd"
> > -Jack Herer
> >
> >
> >
> > On 07/22/2011 03:03 PM, Piotr Matusiak wrote:
> >
> > Hammer,
> >
> > I don't get what's the problem here.
> > "force-authorized" is a default setting so it may not be visible in the
> > config.
> > It disabled dot1x on the port so there will be "no dot1x configuration"
> > message - similarly to the port where you haven't configured anything
> yet.
> >
> > If you want to see the output as it is in the workbook, start using the
> > same IOS version.
> >
> > Regards,
> > --
> > Piotr Matusiak
> > CCIE #19860 (R&S, Security), CCSI #33705
> > Technical Instructor
> > website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
> > blog: www.ccie1.com
> >
> > If you can't explain it simply, you don't understand it well enough -
> > Albert Einstein
> >
> >
> > 2011/7/22 -Hammer- <bhmccie_at_gmail.com>
> >
> >> It's in table 9-2 on the 3560 doc. 7th block down.
> >>
> >> -Hammer-
> >>
> >> "I was a normal American nerd"
> >> -Jack Herer
> >>
> >>
> >>
> >> On 07/22/2011 01:34 PM, garry baker wrote:
> >> > some serious inconsistencies with dot1x configuration
> >> > the command 'dot1x port-control force-authorized' i cannot even find
> >> > in the configuration guide:
> >> >
> >>
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12
> .2_25_see/configuration/guide/sw8021x.html#wp1186540
> >> > and of course there is the entire rework of it later on in the config
> >> > guide:
> >> >
> >>
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12
> .2_58_se/configuration/guide/sw8021x.html#wp1468844
> >> >
> >> > Table 9-2 Authentication Manager Commands and Earlier 802.1x Commands
> >> >
> >> > authentication port-control {auto | force-authorized | force-un
> >> > authorized}
> >> >
> >> >
> >> >
> >> > *dot1x port-control {auto | force-authorized | force-unauthorized}*
> >> >
> >> >
> >> >
> >> > Enable manual control of the authorization state of the port.
> >> >
> >> > --
> >> > Garry L. Baker
> >> >
> >> > "With sufficient thrust, pigs fly just fine..." - RFC 1925
> >> >
> >> >
> >> >
> >> > On Fri, Jul 22, 2011 at 9:25 PM, -Hammer- <bhmccie_at_gmail.com
> >> > <mailto:bhmccie_at_gmail.com>> wrote:
> >> >
> >> > Ha! Hey Joe. Nice try but I already have it enabled. :)
> >> >
> >> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >> > Cat3560-2(config)#do sho run | in aaa
> >> > aaa new-model
> >> > aaa authentication login default none
> >> > aaa authentication dot1x default group radius
> >> > aaa session-id common
> >> > Cat3560-2(config)#
> >> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >> >
> >> > I'm clearly misunderstanding something. See below. I can apply
> >> > "force-author" and nothing happens. I apply "auto" and it works. I
> >> go
> >> > back and apply "force author" and it stops displaying again.
> >> >
> >> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >> > Cat3560-2(config-if)#do sho run int gi0/6
> >> > Building configuration...
> >> >
> >> > Current configuration : 134 bytes
> >> > !
> >> > interface GigabitEthernet0/6
> >> > description R6 Fa0/0
> >> > switchport access vlan 567
> >> > switchport mode access
> >> > spanning-tree portfast
> >> > end
> >> >
> >> > Cat3560-2(config-if)#int gi0/6
> >> > Cat3560-2(config-if)#dot1x port force-author
> >> > Cat3560-2(config-if)#do sho run int gi0/6
> >> > Building configuration...
> >> >
> >> > Current configuration : 134 bytes
> >> > !
> >> > interface GigabitEthernet0/6
> >> > description R6 Fa0/0
> >> > switchport access vlan 567
> >> > switchport mode access
> >> > spanning-tree portfast
> >> > end
> >> >
> >> > Cat3560-2(config-if)#dot1x port auto
> >> > Cat3560-2(config-if)#
> >> > Cat3560-2(config-if)#
> >> > Cat3560-2(config-if)#
> >> > 01:43:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> >> > GigabitEthernet0/6, changed state to down
> >> > Cat3560-2(config-if)#
> >> > Cat3560-2(config-if)#do sho run int gi0/6
> >> > Building configuration...
> >> >
> >> > Current configuration : 160 bytes
> >> > !
> >> > interface GigabitEthernet0/6
> >> > description R6 Fa0/0
> >> > switchport access vlan 567
> >> > switchport mode access
> >> > dot1x port-control auto
> >> > spanning-tree portfast
> >> > end
> >> >
> >> > Cat3560-2(config-if)#
> >> > Cat3560-2(config-if)#dot1x port force-author
> >> > Cat3560-2(config-if)#
> >> > Cat3560-2(config-if)#
> >> > 01:43:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> >> > GigabitEthernet0/6, changed state to up
> >> > Cat3560-2(config-if)#
> >> > Cat3560-2(config-if)#do sho run int gi0/6
> >> > Building configuration...
> >> >
> >> > Current configuration : 134 bytes
> >> > !
> >> > interface GigabitEthernet0/6
> >> > description R6 Fa0/0
> >> > switchport access vlan 567
> >> > switchport mode access
> >> > spanning-tree portfast
> >> > end
> >> >
> >> > Cat3560-2(config-if)#
> >> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >> >
> >> > -Hammer-
> >> >
> >> > "I was a normal American nerd"
> >> > -Jack Herer
> >> >
> >> >
> >> >
> >> > On 07/22/2011 01:18 PM, Joseph L. Brunner wrote:
> >> > > Enabling it globally?
> >> > >
> >> > > Please hammer, don't hurt 'em!
> >> > >
> >> > > Aaa new-model
> >> > > Aaa authen dot1x default group radius
> >> > >
> >> > > dot1x system-auth-control
> >> > >
> >> > > Now you're "too legit to quit" and you "can touch this"
> >> > >
> >> > > -joe
> >> > >
> >> > > -----Original Message-----
> >> > > From: nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>
> >> > [mailto:nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>] On
> >> > Behalf Of -Hammer-
> >> > > Sent: Friday, July 22, 2011 1:53 PM
> >> > > To: ccielab_at_groupstudy.com <mailto:ccielab_at_groupstudy.com>
> >> > > Subject: dot1x missing?
> >> > >
> >> > > I know the trick that dot1x commands won't show up on an
> >> > interface until
> >> > > it's in access but am I missing something else here?
> >> > > Port enabled
> >> > > Dot1x enabled
> >> > > port in access mode
> >> > > dot1x configuration to port - FAIL
> >> > >
> >> > >
> >> >
> >>
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!
> >> > > Cat3560-2(config)#do sho run | in dot
> >> > > aaa authentication dot1x default group radius
> >> > > dot1x system-auth-control
> >> > > vlan dot1q tag native
> >> > > Cat3560-2(config)#do sho run int gi0/6
> >> > > Building configuration...
> >> > >
> >> > > Current configuration : 110 bytes
> >> > > !
> >> > > interface GigabitEthernet0/6
> >> > > description R6 Fa0/0
> >> > > switchport access vlan 567
> >> > > switchport mode access
> >> > > end
> >> > >
> >> > > Cat3560-2(config)#int gi0/6
> >> > > Cat3560-2(config-if)#dot1x port-control force-author
> >> > > Cat3560-2(config-if)#do sho run int gi0/6
> >> > > Building configuration...
> >> > >
> >> > > Current configuration : 110 bytes
> >> > > !
> >> > > interface GigabitEthernet0/6
> >> > > description R6 Fa0/0
> >> > > switchport access vlan 567
> >> > > switchport mode access
> >> > > end
> >> > >
> >> > > Cat3560-2(config-if)#
> >> > > Cat3560-2(config-if)#do sho dot1x
> >> > > Sysauthcontrol = Enabled
> >> > > Supplicant Allowed In Guest Vlan = Disabled
> >> > > Dot1x Protocol Version = 1
> >> > > Dot1x Oper Controlled Directions = Both
> >> > > Dot1x Admin Controlled Directions = Both
> >> > >
> >> > > Cat3560-2(config-if)#do sho dot1x all
> >> > > No Dot1x Configuration exists
> >> > > Cat3560-2(config-if)#
> >> > >
> >> >
> >>
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net <
> >> http://www.ccie.net/>
> >> >
> >> >
> >> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Mon Jul 25 2011 - 10:46:45 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:06 ART