Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode

After doing little R&D i found.. Known caveats associated with Authentication Fail VLAN are documented with CSCsj80588, CSCsj51624, and CSCsj55636

------------------------

When searched for these CSC... it got

--------------------------------
CSCsb77186 Bug Details
 
Information contained within bug ID CSCsb77186 is only available to Cisco employees. It is our policy to make all externally-facing bugs available in Bug Toolkit so the system administrators have been automatically alerted to the problem. By choosing to save this bug, you may be notified when the decision to make this bug available to you has been made. Note: Some product enhancement requests and documentation error bugs may not be available in Bug Toolkit.

--------------------------

:)

moving on.. .already spent too much time.... let's see if get a response form dear vendors...

Thanks for helpin....

________________________________
From: ALL From_NJ <all.from.nj_at_gmail.com>
To: CCIE League <ccieleague_at_ymail.com>
Cc: Ryan West <rwest_at_zyedge.com>; Darby Weaver <darby.weaver_at_gmail.com>; CCIEGS <ccielab_at_groupstudy.com>
Sent: Monday, 24 August, 2009 0:24:08
Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode

Maybe one of the vendors can comment, but even though it states multiple hosts will be connected to the port, it does not say that multi-host mode should be used.

The labs I have been working on, normally say something like "allow all hosts access when only one host authenticates" ... something like this to indicate multi-host mode.

Sounds like you might need only single host mode. Although, I would also agree that the task is worded in such a way to suggest multiple hosts.

Would be interested to hear one of the vendor guys speak, but as you found, the configs are not compatible. After it fails, might be a good time to formulate a questions and ask a proctor.

Something like - should I read this question to indicate that if one host authenticates, all others should be allowed, or should I read this as different hosts may plug into this port?

Not sure ... just thinking out loud ... ;-)

Andrew

On Sun, Aug 23, 2009 at 7:09 PM, CCIE League <ccieleague_at_ymail.com> wrote:

Thanks... still trying to fig out.... thanks Ryan for the doc...
>
>Q says multiple hosts connected to this interface f0/14.
>Hosts fialing "authorisation" should go to vlan 99 also hosts without dot1x support goto vlan 99
>
>
>
>
>
>
>
________________________________
From: ALL From_NJ <all.from.nj_at_gmail.com>
>To: Ryan West <rwest_at_zyedge.com>
>Cc: Darby Weaver <darby.weaver_at_gmail.com>; CCIE League <ccieleague_at_ymail.com>; CCIEGS <ccielab_at_groupstudy.com>
>Sent: Sunday, 23 August, 2009 23:45:20
>
>Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>
>
>(Was writing this when I saw Ryan's response ;-))
>
>In an odd way ... it kind of makes sense to me.
>
>Multi-host mode says that when any one single client, out of the many clients available, authenticates on the port, then authorize and enable the port on the network.
>
>The auth-fail command is saying that when a client fails authentication, they should be placed into a particular vlan. These two are not complimentary to each other since they could 'over ride' each other. Makes sense?
>
>Mr League, does the task ask you to support clients who do not support dot1x? Or not when they fail auth? etc ... Just curious as to what the task is asking for.
>
>HTH,
>
>Andrew Lee Lissitz
>
>
>
>
>On Sun, Aug 23, 2009 at 6:37 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
>Configuration guide is your friend:
>>
>>http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/sw8021x.html#wp1179086
>>
>>It makes sense when you think about what it's trying to accomplish.
>>
>>-ryan
>>
>>
>>-----Original Message-----
>>From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Darby Weaver
>>Sent: Sunday, August 23, 2009 6:27 PM
>>To: CCIE League
>>Cc: CCIEGS
>>Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>>
>>What version of IOS?
>>
>>I recall configuring this using multi-host without getting errors?
>>
>>On Sun, Aug 23, 2009 at 3:56 PM, CCIE League <ccieleague_at_ymail.com> wrote:
>>
>>> I am getting the following message when setting Auth fail VLAN where i have
>>> to config multi-host support also.
>>>
>>>
>>>
>>> SW1(config-if)#dot1x auth-fail vlan 99
>>>
>>> Command rejected: Port is in multi-host mode
>>>
>>> Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>>>
>>>
>>> --------Config --------------
>>> aaa new-model
>>> aaa authentication dot1x default group radius
>>>
>>> dot1x system-auth-control
>>> dot1x guest-vlan supplicant
>>> !
>>> interface FastEthernet0/14
>>> switchport mode access
>>> dot1x port-control auto
>>> dot1x host-mode multi-host
>>> dot1x guest-vlan 99
>>> spanning-tree portfast
>>>
>>> ------------------------------------------------
>>>
>>>
>>>
>>>
>>> Thanks for your help...
>>>
>>>

-- 
Andrew Lee Lissitz 
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net