Do my SW-3560s need a different image?

Gabe

Hello community,

I would have thought my current image would be the one I needed to support all the topics covered in the current blueprint but for some reason I cannot enable dot1x at the port level. Is it my image?

SW1(config)#do sh run | i aaa|dot1x|radius
aaa new-model
aaa authentication login default none
aaa authentication dot1x MR group radius
aaa session-id common
dot1x system-auth-control
ip radius source-interface Loopback0
radius-server host 204.12.1.100 auth-port 1645 acct-port 1646 key CISCO
SW1(config)#int f0/9
SW1(config-if)#sw mod ac
SW1(config-if)#dot1x ? ---> the port-control keyword does not show
  credentials     Credentials profile configuration
  default         Configure Dot1x with default values for this port
  max-reauth-req  Max No. of Reauthentication Attempts
  max-req         Max No. of Retries
  max-start       Max No. of EAPOL-Start requests
  pae             Set 802.1x interface pae type
  supplicant      Configure supplicant parameters
  timeout         Various Timeouts

SW1(config-if)#do sh vers | i IOS
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)

Thanks in advance

sylhet2011

i think you need switchport mode access

wont work on switchport mode dynamic  -- if i can remember correctly

 

Gabe

They already are access ports, but yes you are correct it does not work if ports are not in access mode

sylhet2011

Gabe, my apologies  i should of read in more detail the output in your original post ,,

 

this is odd

my version below, i looked up on feature navigator -- no extra dot1x stuff  between our two versions

might be a syntax difference

Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1)

(config-if)#dot1x ?
  auth-fail          Configure Authentication Fail values for this port
  control-direction  Set the control-direction on the interface
  critical           Enable 802.1x Critical Authentication
  default            Configure Dot1x with default values for this port
  guest-vlan         Configure Guest-vlan on this interface
  host-mode          Set the Host mode for 802.1x on this interface
  mac-auth-bypass    Enable MAC Auth Bypass
  max-reauth-req     Max No.of Reauthentication Attempts
  max-req            Max No.of Retries
  pae                Set 802.1x interface pae type
  port-control       set the port-control value
  reauthentication   Enable or Disable Reauthentication for this port
  timeout            Various Timeouts

 

 

Ford_Prefix

Try one of these methods:

- Enter the dot1x port-control command ignoring the lack of auto-completion

- Use the authentication port-control command

 

sylhet2011

i found this -- maybe this will help ?

 

Edit: apologies ford, i saw your post after i posted.

 

The authentication manager commands provide the same functionality as earlier 802.1x commands.

 

Table 10-2 Authentication Manager Commands and Earlier 802.1x Commands  

The authentication manager commands in Cisco IOS Release 12.2(50)SE or later	The equivalent 802.1x commands in Cisco IOS Release 12.2(46)SE and earlier	Description
authentication control-direction {both |in}	dot1x control-direction {both | in}	Enable authentication with the wake-on-LAN (WoL) feature, and configure the port control as unidirectional or bidirectional.
authentication event	dot1x auth-fail vlan dot1x critical (interface configuration)  dot1x guest-vlan6	Enable the restricted VLAN on a port. Enable the inaccessible-authentication-bypass feature. Specify an active VLAN as an guest VLAN.
authentication fallback fallback-profile	dot1x fallback fallback-profile	Configure a port to use web authentication as a fallback method for clients that do not support authentication.
authentication host-mode [multi-auth |multi-domain | multi-host | single-host]	dot1x host-mode {single-host | multi-host | multi-domain}	Allow a single host (client) or multiple hosts on an authorized port.
authentication order	mab	Provides the flexibility to define the order of authentication methods to be used.
authentication periodic	dot1x reauthentication	Enable periodic re-authentication of the client.
authentication port-control {auto |force-authorized | force-un authorized}	dot1x port-control {auto | force-authorized | force-unauthorized}	Enable manual control of the authorization state of the port.
authentication timer	dot1x timeout	Set the timers.
authentication violation {protect |restrict | shutdown}	dot1x violation-mode {shutdown |restrict | protect}	Configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.

Gabe

thank you everyone for your replies...

for some weird reason the port-control keyword seems to be hidden:

SW1(config-if)#dot1x ?
  credentials     Credentials profile configuration
  default         Configure Dot1x with default values for this port
  max-reauth-req  Max No. of Reauthentication Attempts
  max-req         Max No. of Retries
  max-start       Max No. of EAPOL-Start requests
  pae             Set 802.1x interface pae type
  supplicant      Configure supplicant parameters
  timeout         Various Timeouts

SW1(config-if)#dot1x port-control auto
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#do sh run int f0/10
Building configuration...

Current configuration : 117 bytes
!
interface FastEthernet0/10
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
end