From: Noel Debouver III (noeldebouveriii@yahoo.com)
Date: Fri Jan 05 2007 - 21:34:34 ART
Yes, I did not include my local user database information. Part of the
scenario involves defining 2 users and with different access levels. My
example config came from a Cisco NAC document from Cisco.com.
-----
Original Message ----
From: Ivan <ivan@iip.net>
To: ccielab@groupstudy.com;
Noel Debouver III <noeldebouveriii@yahoo.com>
Sent: Friday, January 5, 2007
6:20:11 PM
Subject: Re: 802.1x Interpretation
Think that you missed up about
failed authorization. Failed authorization and
client dont have dot1x support
is differ each other.
dot1x auth-fail vlan 55 - for client wich failed auth
proccess
dot1x guest vlan 11 - for client wich not dot1x-capable
also you
don't allowed using auth server.
May be need something like this
aaa
authentication login def local
aaa authorization netw def if-auth
On Saturday
06 January 2007 02:00, Noel Debouver III wrote:
> Configure F0/1 for
authorization clients with dot1x. Interface must be in
> unauthorized mode.
If client is failed authorization, then he must be in
> VLAN_55
> Users don"t
have dot1x also must be in VLAN_11 NOTE: you are not
> allowed to configure
aaa authentication server for this task.
>
> I'm thinking:
> dot1x
system-auth-control
> dot1 guest-vlan supplicant
>
> aaa new-model
> aaa
>
authentication login default none
> aaa authentication dot1x default group
>
radius
>
> int F0/1
> dot1x port control auto
> dot1x guest-vlan 11
>
>
> What
I am
> asking is would you interpret the question the same way? Why or why
not?
> Would you configure it differently, why or why not?
>
> Your help would
be
> appreciated.
>
> __________________________________________________
> Do
You
> Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection
around
> http://mail.yahoo.com
>
>
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:55 ART