Do my SW-3560s need a different image?

Hello community,

I would have thought my current image would be the one I needed to support all the topics covered in the current blueprint but for some reason I cannot enable dot1x at the port level. Is it my image?

SW1(config)#do sh run | i aaa|dot1x|radius
aaa new-model
aaa authentication login default none
aaa authentication dot1x MR group radius
aaa session-id common
dot1x system-auth-control
ip radius source-interface Loopback0
radius-server host 204.12.1.100 auth-port 1645 acct-port 1646 key CISCO
SW1(config)#int f0/9
SW1(config-if)#sw mod ac
SW1(config-if)#dot1x ? ---> the port-control keyword does not show
  credentials     Credentials profile configuration
  default         Configure Dot1x with default values for this port
  max-reauth-req  Max No. of Reauthentication Attempts
  max-req         Max No. of Retries
  max-start       Max No. of EAPOL-Start requests
  pae             Set 802.1x interface pae type
  supplicant      Configure supplicant parameters
  timeout         Various Timeouts

SW1(config-if)#do sh vers | i IOS
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)

Thanks in advance

Comments

  • i think you need switchport mode access

    wont work on switchport mode dynamic  -- if i can remember correctly

     

  • They already are access ports, but yes you are correct it does not work if ports are not in access mode

  • Gabe, my apologies  i should of read in more detail the output in your original post ,,

     

    this is odd

    my version below, i looked up on feature navigator -- no extra dot1x stuff  between our two versions

    might be a syntax difference

    Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1)

    (config-if)#dot1x ?
      auth-fail          Configure Authentication Fail values for this port
      control-direction  Set the control-direction on the interface
      critical           Enable 802.1x Critical Authentication
      default            Configure Dot1x with default values for this port
      guest-vlan         Configure Guest-vlan on this interface
      host-mode          Set the Host mode for 802.1x on this interface
      mac-auth-bypass    Enable MAC Auth Bypass
      max-reauth-req     Max No.of Reauthentication Attempts
      max-req            Max No.of Retries
      pae                Set 802.1x interface pae type
      port-control       set the port-control value
      reauthentication   Enable or Disable Reauthentication for this port
      timeout            Various Timeouts

     

     

  • Try one of these methods:

    - Enter the dot1x port-control command ignoring the lack of auto-completion

    - Use the authentication port-control command

     

  • i found this -- maybe this will help ?

     

    Edit: apologies ford, i saw your post after i posted.

     

    The authentication manager commands provide the same functionality as earlier 802.1x commands.

     


    Table 10-2 Authentication Manager Commands and Earlier 802.1x Commands  

    The authentication manager commands in Cisco IOS Release 12.2(50)SE or later


    The equivalent 802.1x commands in Cisco IOS Release 12.2(46)SE and earlier


    Description

    authentication control-direction {both |in}

    dot1x control-direction {both | in}

    Enable authentication with the wake-on-LAN (WoL) feature, and configure the port control as unidirectional or bidirectional.

    authentication event

    dot1x auth-fail vlan

    dot1x critical (interface configuration) 

    dot1x guest-vlan6

    Enable the restricted VLAN on a port.

    Enable the inaccessible-authentication-bypass feature.

    Specify an active VLAN as an guest VLAN.

    authentication fallback fallback-profile

    dot1x fallback fallback-profile

    Configure a port to use web authentication as a fallback method for clients that do not support authentication.

    authentication host-mode [multi-auth |multi-domain | multi-host | single-host]

    dot1x host-mode {single-host | multi-host | multi-domain}

    Allow a single host (client) or multiple hosts on an authorized port.

    authentication order

    mab

    Provides the flexibility to define the order of authentication methods to be used.

    authentication periodic

    dot1x reauthentication

    Enable periodic re-authentication of the client.

    authentication port-control {auto |force-authorized | force-un authorized}

    dot1x port-control {auto | force-authorized | force-unauthorized}

    Enable manual control of the authorization state of the port.

    authentication timer

    dot1x timeout

    Set the timers.

    authentication violation {protect |restrict | shutdown}

    dot1x violation-mode {shutdown |restrict | protect}

    Configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.

  • thank you everyone for your replies...

    for some weird reason the port-control keyword seems to be hidden:

    SW1(config-if)#dot1x ?
      credentials     Credentials profile configuration
      default         Configure Dot1x with default values for this port
      max-reauth-req  Max No. of Reauthentication Attempts
      max-req         Max No. of Retries
      max-start       Max No. of EAPOL-Start requests
      pae             Set 802.1x interface pae type
      supplicant      Configure supplicant parameters
      timeout         Various Timeouts

    SW1(config-if)#dot1x port-control auto
    SW1(config-if)#
    SW1(config-if)#
    SW1(config-if)#
    SW1(config-if)#do sh run int f0/10
    Building configuration...

    Current configuration : 117 bytes
    !
    interface FastEthernet0/10
     switchport mode access
     authentication port-control auto
     dot1x pae authenticator
    end

Sign In or Register to comment.