Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3991
Views
0
Helpful
9
Replies

Command rejected: Dot1x is not supported on this interface.Mab not supported on this interface.

Go to solution
getaway51
Level 2
Level 2

‎07-23-2020 06:48 AM

Hi,

 

Is there any reason why the error below Command rejected: Dot1x is not supported on this interface. and Mab not supported on this interface. for port gi5/47. Other ports ok

 

cx001(config-if-range)# source template dot1x-ports
Command rejected (GigabitEthernet5/47): Mab not supported on this interface.
Interface GigabitEthernet5/47 Command rejected: Dot1x is not supported on this interface.

 

cx001#sh run int gi5/47

interface GigabitEthernet5/47
no cdp enable
source template dot1x-ports
end

 

cx001#sh run int gi5/46
interface GigabitEthernet5/46
switchport trunk allowed vlan 1,30
switchport mode trunk
switchport nonegotiate
switchport voice vlan 30
no cdp enable
source template dot1x-ports
end

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to getaway51

‎07-30-2020 04:40 PM

I'm not sure I understand the question but without 'switchport mode access' configured on the port, any of the unsupported settings in your source template will not be applied properly.

As this is not a supported configuration, I would recommend against applying that template to any ports that are not configured with 'switchport mode access' as it could result in unexpected/unpredictable behaviours.

If you need to apply only the supported template settings to a port that is not configured for 'switchport mode access' for some reason, I would recommend creating a different template without the unsupported commands and applying that instead.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎07-23-2020 08:06 AM

Did you try to default the interface and then reapply the commands?  

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-23-2020 08:09 AM

Try to define a switchport mode first and see if it helps. As a side note here, it's generally not recommended to deploy 802.1x on trunk ports. I know that can be a pain since some really old voip phone configs had recommended trunk ports, they are still out there used as pseudo access ports.
0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Damien Miller

‎07-23-2020 08:54 AM

Hi,

 

May I know why is it NOT recommended to deploy 802.1x on trunk ports? 

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to getaway51

‎07-23-2020 04:43 PM

802.1x is only supported on a trunk port when using NEAT, and only with specific hardware/software versions. For full 802.1x/MAB feature support, the interface must be configured in Access mode.

If you provide the use case requirement for enabling 802.1x on a trunk port, there may be another option to consider.

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Greg Gibbs

‎07-30-2020 08:28 AM

Hi,

 

For exmaple below, can i say tht without "switchport mode access" command in the interface, it (gi1/1) will not be affected by both monitor and closed 802.1x mode? therefore will not involve in 802.1x operation of being block/allow

 

Because some interface has config like below:

 

int gi1/1

switchport access vlan 50

source template 802_1x

 

int gi1/2

switchport mode access

switchport access vlan 50

source template 802_1x

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to getaway51

‎07-30-2020 04:40 PM

I'm not sure I understand the question but without 'switchport mode access' configured on the port, any of the unsupported settings in your source template will not be applied properly.

As this is not a supported configuration, I would recommend against applying that template to any ports that are not configured with 'switchport mode access' as it could result in unexpected/unpredictable behaviours.

If you need to apply only the supported template settings to a port that is not configured for 'switchport mode access' for some reason, I would recommend creating a different template without the unsupported commands and applying that instead.

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Greg Gibbs

‎07-31-2020 12:58 AM

Hi,


Command rejected (GigabitEthernet5/47): Mab not supported on this interface.
Interface GigabitEthernet5/47 Command rejected: Dot1x is not supported on this interface.

 

When I applied the command, error was MAB and Dot1x not supported. Therefore I thought 802.1x commands in the source template such as MAB & Dot1x auth will not be applied. However when CLOSED mode enabled, the port was DROP.

Status was UZ-unauthorized. What puzzled me was even though error above says Mab and Dot1x not supported but CLOSED mode eventually DROP the port. 

 

0 Helpful

Go to solution
clive-fulton
Level 1
Level 1
In response to Greg Gibbs

‎01-14-2024 07:41 PM

Is it possible to use host mode multi-host on the trunk ports - that way the switch authenticates, as the first connection, and then the authentication of endpoints on the downstream switch are done by the radius configuration on that switch?

 

0 Helpful

Go to solution
jwannaman1
Level 1
Level 1

‎11-07-2023 01:15 AM

You can do this Pfeil in Config-Modus im Interface. :(config-if)#switchport host.
then you will be able to config dot1x in this interface 

P.S :his MACRO does 3 things.

1. switchport mode access

2. spanning-tree portfast

3. disables port-channeling.

0 Helpful
Top