Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4383
Views
0
Helpful
3
Replies

2960 - mac-auth-bypass

lydia.walther
Level 1
Level 1

‎06-13-2012 03:14 AM - edited ‎03-10-2019 07:11 PM

Hello,

we want to use standalone mac authentication bypass (with freeradius).

Yesterday we tested it with a catalyst 3750 IOS 12.2(35) and it was working fine! The config on an interface looked like that:

(config-if)switchport mode access

(config-if)authentication port-control auto

(config-if)mab

(config-if)spanning-tree portfast

Today we tried to do the same with a catalyst 2960 IOS 12.2(44). I want to configure the interface like on the 3750, but I can't.

Everytime I write the command "dot1x mac-auth-bypass" (I think this is the correspondent command to "mab") the switch automatically configures "dot1x pae authenticator" and "dot1x violation-mode protect" on the interface. So it looks like that:

interface GigabitEthernet0/1

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode restrict

spanning-tree portfast

If I configure "no dot1x violation-mode protect" the switch accepts the command, but it don't removes the entry from the interface.

If I configure "no dot1x pae authenticator" the switch removes the whole config from the interface except "switchport mode access" and "spanning-tree...".

I don't understand what the problem is?! Is it not possible to use mac authentication bypass without dot1x (-> pae command) and violation-mode in this IOS version???

The violation-mode avoids the contact to the radius server. :-(

Thank you for your help.

Greetings Lydia

Labels:
129677-rad_forum2.TXT.zip
0 Helpful
3 Replies 3

lydia.walther
Level 1
Level 1

‎06-13-2012 06:15 AM

Now we upgraded the IOS to 12.2(58).

I'm now able to configure the "mab" command on an interface (like on IOS 12.2(35)). That was not possible on IOS 12.2(44), there was only "dot1x mac-auth-bypass".

So it's working now. But upgrading 40 switches to another IOS is not very joyful.

Greetings Lydia

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to lydia.walther

‎06-13-2012 06:24 AM

that seems to be a code specific issue because I was just checking the command refernce guide and it didn't specify that we needed those two commmands with MAB. Otherwise it should have been specified In the usage guide lines under command refrence guide.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/command/reference/cli1.html#wpmkr11894860

~Jatin
0 Helpful

lydia.walther
Level 1
Level 1
In response to lydia.walther

‎06-14-2012 01:00 AM

Hey,

1. Does somebody know if you can use standalone MAB with dot1x guest vlan?

I tried it and the guest vlan was not set. Is it required to configure dot1x with the shortest timeout, so that MAB is starting fast and if it fails, there is the guest vlan.

2. In the config guide there is a sample configuration for standalone MAB. I'm wondering why they configure "switchport access vlan 40"??? In what situation does this takes affect? Is it like the guest vlan? So, if mab fails, the port is configured with vlan 40???

interface FastEthernet2/48

switchport access vlan 40

switchport mode access

authentication port-control auto

mab

spanning-tree portfast

spanning-tree bpduguard enable

Greetings Lydia

0 Helpful
Customers Also Viewed These Support Documents