
Do my SW-3560s need a different image?
Hello community,
I would have thought my current image would be the one I needed to support all the topics covered in the current blueprint but for some reason I cannot enable dot1x at the port level. Is it my image?
SW1(config)#do sh run | i aaa|dot1x|radius
aaa new-model
aaa authentication login default none
aaa authentication dot1x MR group radius
aaa session-id common
dot1x system-auth-control
ip radius source-interface Loopback0
radius-server host 204.12.1.100 auth-port 1645 acct-port 1646 key CISCO
SW1(config)#int f0/9
SW1(config-if)#sw mod ac
SW1(config-if)#dot1x ? ---> the port-control keyword does not show
credentials Credentials profile configuration
default Configure Dot1x with default values for this port
max-reauth-req Max No. of Reauthentication Attempts
max-req Max No. of Retries
max-start Max No. of EAPOL-Start requests
pae Set 802.1x interface pae type
supplicant Configure supplicant parameters
timeout Various Timeouts
SW1(config-if)#do sh vers | i IOS
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
Thanks in advance
Comments
i think you need switchport mode access
wont work on switchport mode dynamic -- if i can remember correctly
They already are access ports, but yes you are correct it does not work if ports are not in access mode
Gabe, my apologies i should of read in more detail the output in your original post ,,
this is odd
my version below, i looked up on feature navigator -- no extra dot1x stuff between our two versions
might be a syntax difference
Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1)
(config-if)#dot1x ?
auth-fail Configure Authentication Fail values for this port
control-direction Set the control-direction on the interface
critical Enable 802.1x Critical Authentication
default Configure Dot1x with default values for this port
guest-vlan Configure Guest-vlan on this interface
host-mode Set the Host mode for 802.1x on this interface
mac-auth-bypass Enable MAC Auth Bypass
max-reauth-req Max No.of Reauthentication Attempts
max-req Max No.of Retries
pae Set 802.1x interface pae type
port-control set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout Various Timeouts
Try one of these methods:
- Enter the dot1x port-control command ignoring the lack of auto-completion
- Use the authentication port-control command
i found this -- maybe this will help ?
Edit: apologies ford, i saw your post after i posted.
The authentication manager commands provide the same functionality as earlier 802.1x commands.
Table 10-2 Authentication Manager Commands and Earlier 802.1x Commands
authentication control-direction {both |in}
dot1x control-direction {both | in}
Enable authentication with the wake-on-LAN (WoL) feature, and configure the port control as unidirectional or bidirectional.
authentication event
dot1x auth-fail vlan
dot1x critical (interface configuration)
dot1x guest-vlan6
Enable the restricted VLAN on a port.
Enable the inaccessible-authentication-bypass feature.
Specify an active VLAN as an guest VLAN.
authentication fallback fallback-profile
dot1x fallback fallback-profile
Configure a port to use web authentication as a fallback method for clients that do not support authentication.
authentication host-mode [multi-auth |multi-domain | multi-host | single-host]
dot1x host-mode {single-host | multi-host | multi-domain}
Allow a single host (client) or multiple hosts on an authorized port.
authentication order
mab
Provides the flexibility to define the order of authentication methods to be used.
authentication periodic
dot1x reauthentication
Enable periodic re-authentication of the client.
authentication port-control {auto |force-authorized | force-un authorized}
dot1x port-control {auto | force-authorized | force-unauthorized}
Enable manual control of the authorization state of the port.
authentication timer
dot1x timeout
Set the timers.
authentication violation {protect |restrict | shutdown}
dot1x violation-mode {shutdown |restrict | protect}
Configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.
thank you everyone for your replies...
for some weird reason the port-control keyword seems to be hidden:
SW1(config-if)#dot1x ?
credentials Credentials profile configuration
default Configure Dot1x with default values for this port
max-reauth-req Max No. of Reauthentication Attempts
max-req Max No. of Retries
max-start Max No. of EAPOL-Start requests
pae Set 802.1x interface pae type
supplicant Configure supplicant parameters
timeout Various Timeouts
SW1(config-if)#dot1x port-control auto
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#do sh run int f0/10
Building configuration...
Current configuration : 117 bytes
!
interface FastEthernet0/10
switchport mode access
authentication port-control auto
dot1x pae authenticator
end