Re: dot1x missing?

It's in table 9-2 on the 3560 doc. 7th block down.

-Hammer-

"I was a normal American nerd"
-Jack Herer

On 07/22/2011 01:34 PM, garry baker wrote:
> some serious inconsistencies with dot1x configuration
> the command 'dot1x port-control force-authorized' i cannot even find
> in the configuration guide:
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/sw8021x.html#wp1186540
> and of course there is the entire rework of it later on in the config
> guide:
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/sw8021x.html#wp1468844
>
> Table 9-2 Authentication Manager Commands and Earlier 802.1x Commands
>
> authentication port-control {auto | force-authorized | force-un
> authorized}
>
>
>
> *dot1x port-control {auto | force-authorized | force-unauthorized}*
>
>
>
> Enable manual control of the authorization state of the port.
>
> --
> Garry L. Baker
>
> "With sufficient thrust, pigs fly just fine..." - RFC 1925
>
>
>
> On Fri, Jul 22, 2011 at 9:25 PM, -Hammer- <bhmccie_at_gmail.com
> <mailto:bhmccie_at_gmail.com>> wrote:
>
> Ha! Hey Joe. Nice try but I already have it enabled. :)
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Cat3560-2(config)#do sho run | in aaa
> aaa new-model
> aaa authentication login default none
> aaa authentication dot1x default group radius
> aaa session-id common
> Cat3560-2(config)#
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> I'm clearly misunderstanding something. See below. I can apply
> "force-author" and nothing happens. I apply "auto" and it works. I go
> back and apply "force author" and it stops displaying again.
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 134 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#int gi0/6
> Cat3560-2(config-if)#dot1x port force-author
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 134 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#dot1x port auto
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#
> 01:43:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet0/6, changed state to down
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 160 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> dot1x port-control auto
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#dot1x port force-author
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#
> 01:43:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet0/6, changed state to up
> Cat3560-2(config-if)#
> Cat3560-2(config-if)#do sho run int gi0/6
> Building configuration...
>
> Current configuration : 134 bytes
> !
> interface GigabitEthernet0/6
> description R6 Fa0/0
> switchport access vlan 567
> switchport mode access
> spanning-tree portfast
> end
>
> Cat3560-2(config-if)#
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 07/22/2011 01:18 PM, Joseph L. Brunner wrote:
> > Enabling it globally?
> >
> > Please hammer, don't hurt 'em!
> >
> > Aaa new-model
> > Aaa authen dot1x default group radius
> >
> > dot1x system-auth-control
> >
> > Now you're "too legit to quit" and you "can touch this"
> >
> > -joe
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>
> [mailto:nobody_at_groupstudy.com <mailto:nobody_at_groupstudy.com>] On
> Behalf Of -Hammer-
> > Sent: Friday, July 22, 2011 1:53 PM
> > To: ccielab_at_groupstudy.com <mailto:ccielab_at_groupstudy.com>
> > Subject: dot1x missing?
> >
> > I know the trick that dot1x commands won't show up on an
> interface until
> > it's in access but am I missing something else here?
> > Port enabled
> > Dot1x enabled
> > port in access mode
> > dot1x configuration to port - FAIL
> >
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > Cat3560-2(config)#do sho run | in dot
> > aaa authentication dot1x default group radius
> > dot1x system-auth-control
> > vlan dot1q tag native
> > Cat3560-2(config)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 110 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > end
> >
> > Cat3560-2(config)#int gi0/6
> > Cat3560-2(config-if)#dot1x port-control force-author
> > Cat3560-2(config-if)#do sho run int gi0/6
> > Building configuration...
> >
> > Current configuration : 110 bytes
> > !
> > interface GigabitEthernet0/6
> > description R6 Fa0/0
> > switchport access vlan 567
> > switchport mode access
> > end
> >
> > Cat3560-2(config-if)#
> > Cat3560-2(config-if)#do sho dot1x
> > Sysauthcontrol = Enabled
> > Supplicant Allowed In Guest Vlan = Disabled
> > Dot1x Protocol Version = 1
> > Dot1x Oper Controlled Directions = Both
> > Dot1x Admin Controlled Directions = Both
> >
> > Cat3560-2(config-if)#do sho dot1x all
> > No Dot1x Configuration exists
> > Cat3560-2(config-if)#
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 22 2011 - 13:39:22 ART