11-18-2019 11:08 AM
Hello everyone!
I'm using aaa dot1x config for some years.. but never got into the detail to understand which command does what.
Could you guy help!
What is the difference between:
Scenario:
int gi1/2/10
switchport mode access
switchport voice vlan 10
authentication host-mode multi-mode
authentication port-control auto
authentication order mab dot1x
authentication priority dot1x mab
mab
dot1x pae authenticator
Question:
I have highlight five commands two in Red and Blue, and one in Green.
What do you think about why we need: authentication port-control auto AND dot1x pae authenticator
AND
Why do we need these two: authentication order mab dot1x AND authentication priority dot1x mab
ALSO,
after entering the above commands why we still need the "mab" command at the end.
Answer/Solution:
??
Kind regards,
B
11-18-2019 12:49 PM
As usual, I will try to answer my own question.
so far, I discovered that authentication port-control auto command allows a port to initiate the dot1x process by sending the EAPOL_Start packet first to the connected device when the switch-port comes UP first .....
but if the connected device (PC or any dot1x enabled device) sends an EAPOL_Start packet first then the command dot1x pae authenticator will come in action and take the EAPOL_Start packet to forward to "Authentication Server". So the particular switch-port will play the role of "Authenticator" in the AAA process.
Note: I wonder what would be the scenario where a switch-port would be treated as "Supplicant" - dot1x pae supplicant
Remember: AAA process has 3 contributors (if you like)
Supplicant - PC/Mobile or dot1x enabled device
Authenticator - take the EAPOL messages and translate them into Radius/TACACS+ packets
Authentication Server - An actual server where the authentication/ authorization policy resides.
Kind regards,
B
11-18-2019 01:37 PM
What are your own thoughts on this subject? I'd like to hear those first, then perhaps someone might feel willing to assist you along.
Doesn't sound like you have attempted to answer your own homework assignment questions.
11-18-2019 02:00 PM
First of all, @Arne Bier your negative comment does not motivate me at all instead I'm ignoring your negativity and pasting below Cisco's own statement:"
During IEEE 802.1X authentication, the router or the supplicant can initiate authentication. If you enable authentication on a port by using the authentication port-control auto interface configuration command, the router initiates authentication when the link state changes from down to up or periodically if the port remains up and unauthenticated.
"
and for the second command dot1x pae authenticator
Kieth has answered this in his reply here: https://learningnetwork.cisco.com/thread/14910
Keith's reply: " If we use the command "no dot1x pae authenticator" on the port, the switch will still have dot1x enabled on the port, but will not allow clients to authenticate and will leave the state as unauthorized. "
Cisco Docs:
"
Step 9 | dot1x pae [supplicant | authenticator | both] Example: Device(config-if)# dot1x pae authenticator | Sets the Port Access Entity (PAE) type.
|
"
Hence the above highlighted blue comment justifies what Keith said indirectly.
Sooo ... @Arne Bier ... if you have some info that is not in the Cisco Press Books or Cisco Documents etc etc.. then do share.
... that was the homework I did.. what is yours ????
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide