cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3888
Views
5
Helpful
3
Replies

AAA config clarification... Difference "authentication port-control auto" AND "dot1x pae authenticator" ...

Beacon Bits
Level 1
Level 1

Hello everyone!

 

I'm using aaa dot1x config for some years.. but never got into the detail to understand which command does what.

Could you guy help!

What is the difference between:

Scenario:

int gi1/2/10

switchport mode access
switchport voice vlan 10
authentication host-mode multi-mode
authentication port-control auto
authentication order mab dot1x
authentication priority dot1x mab

mab
dot1x pae authenticator

 

Question:

I have highlight five commands two in Red and Blue, and one in Green.

What do you think about why we need: authentication port-control auto AND dot1x pae authenticator

AND

Why do we need these two: authentication order mab dot1x AND authentication priority dot1x mab

ALSO,

after entering the above commands why we still need the "mab" command at the end.

 

Answer/Solution:

??

 

Kind regards,

B

 

3 Replies 3

Beacon Bits
Level 1
Level 1

As usual, I will try to answer my own question.

 

so far, I discovered that authentication port-control auto command allows a port to initiate the dot1x process by sending the EAPOL_Start packet first to the connected device when the switch-port comes UP first .....

but if the connected device (PC or any dot1x enabled device) sends an EAPOL_Start packet first then the command dot1x pae authenticator will come in action and take the EAPOL_Start packet to forward to "Authentication Server". So the particular switch-port will play the role of "Authenticator" in the AAA process.

 

Note: I wonder what would be the scenario where a switch-port would be treated as "Supplicant" - dot1x pae supplicant

 

Remember: AAA process has 3 contributors (if you like)

Supplicant - PC/Mobile or dot1x enabled device

Authenticator - take the EAPOL messages and translate them into Radius/TACACS+ packets

Authentication Server - An actual server where the authentication/ authorization policy resides.

 

Kind regards,

B

Arne Bier
VIP
VIP

What are your own thoughts on this subject? I'd like to hear those first, then perhaps someone might feel willing to assist you along.

 

Doesn't sound like you have attempted to answer your own homework assignment questions.

 

Beacon Bits
Level 1
Level 1

First of all, @Arne Bier your negative comment does not motivate me at all instead I'm ignoring your negativity and pasting below Cisco's own statement:"

IEEE 802.1X Authentication Initiation and Message Exchange

During IEEE 802.1X authentication, the router or the supplicant can initiate authentication. If you enable authentication on a port by using the authentication port-control auto interface configuration command, the router initiates authentication when the link state changes from down to up or periodically if the port remains up and unauthenticated. 

"

 

and for the second command dot1x pae authenticator

 

Kieth has answered this in his reply here: https://learningnetwork.cisco.com/thread/14910

Keith's reply: " If we use the command "no dot1x pae authenticator" on the port, the switch will still have dot1x enabled on the port, but will not allow clients to authenticate and will leave the state as unauthorized. "

 

Cisco Docs:

"

Step 9dot1x pae [supplicant | authenticator | both]


Example:
Device(config-if)# dot1x pae authenticator
 

Sets the Port Access Entity (PAE) type.

  • supplicant—The interface acts only as a supplicant and does not respond to messages that are meant for an authenticator.

     

  • authenticator-—The interface acts only as an authenticator and does not respond to any messages meant for a supplicant.

     

  • both—The interface behaves both as a supplicant and as an authenticator and thus does respond to all dot1x messages.

"

Hence the above highlighted blue comment justifies what Keith said indirectly.

 

Sooo ... @Arne Bier ... if you have some info that is not in the Cisco Press Books or Cisco Documents etc etc.. then do share.

... that was the homework I did.. what is yours ????

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: