Cisco Community
English
Register
Congratulate February's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

929
Views
0
Helpful
7
Replies
Highlighted
getaway51
Explorer
Explorer
‎07-23-2020 06:48 AM
‎07-23-2020 06:48 AM

Command rejected: Dot1x is not supported on this interface.Mab not supported on this interface.

Hi,

 

Is there any reason why the error below Command rejected: Dot1x is not supported on this interface. and Mab not supported on this interface. for port gi5/47. Other ports ok

 

cx001(config-if-range)# source template dot1x-ports
Command rejected (GigabitEthernet5/47): Mab not supported on this interface.
Interface GigabitEthernet5/47 Command rejected: Dot1x is not supported on this interface.

 

cx001#sh run int gi5/47

interface GigabitEthernet5/47
no cdp enable
source template dot1x-ports
end

 

cx001#sh run int gi5/46
interface GigabitEthernet5/46
switchport trunk allowed vlan 1,30
switchport mode trunk
switchport nonegotiate
switchport voice vlan 30
no cdp enable
source template dot1x-ports
end

0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Greg Gibbs
Cisco Employee
Cisco Employee
In response to getaway51
‎07-30-2020 04:40 PM
‎07-30-2020 04:40 PM

I'm not sure I understand the question but without 'switchport mode access' configured on the port, any of the unsupported settings in your source template will not be applied properly.

As this is not a supported configuration, I would recommend against applying that template to any ports that are not configured with 'switchport mode access' as it could result in unexpected/unpredictable behaviours.

If you need to apply only the supported template settings to a port that is not configured for 'switchport mode access' for some reason, I would recommend creating a different template without the unsupported commands and applying that instead.

View solution in original post

0 Helpful
Reply
7 REPLIES 7
Highlighted
Colby LeMaire
VIP Collaborator VIP Collaborator
VIP Collaborator
‎07-23-2020 08:06 AM
‎07-23-2020 08:06 AM

Did you try to default the interface and then reapply the commands?  

0 Helpful
Reply
Highlighted
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
‎07-23-2020 08:09 AM
‎07-23-2020 08:09 AM

Try to define a switchport mode first and see if it helps. As a side note here, it's generally not recommended to deploy 802.1x on trunk ports. I know that can be a pain since some really old voip phone configs had recommended trunk ports, they are still out there used as pseudo access ports.
0 Helpful
Reply
Highlighted
getaway51
Explorer
Explorer
In response to Damien Miller
‎07-23-2020 08:54 AM
‎07-23-2020 08:54 AM

Hi,

 

May I know why is it NOT recommended to deploy 802.1x on trunk ports? 

 

0 Helpful
Reply
Highlighted
Greg Gibbs
Cisco Employee
Cisco Employee
In response to getaway51
‎07-23-2020 04:43 PM
‎07-23-2020 04:43 PM

802.1x is only supported on a trunk port when using NEAT, and only with specific hardware/software versions. For full 802.1x/MAB feature support, the interface must be configured in Access mode.

If you provide the use case requirement for enabling 802.1x on a trunk port, there may be another option to consider.

0 Helpful
Reply
Highlighted
getaway51
Explorer
Explorer
In response to Greg Gibbs
‎07-30-2020 08:28 AM
‎07-30-2020 08:28 AM

Hi,

 

For exmaple below, can i say tht without "switchport mode access" command in the interface, it (gi1/1) will not be affected by both monitor and closed 802.1x mode? therefore will not involve in 802.1x operation of being block/allow

 

Because some interface has config like below:

 

int gi1/1

switchport access vlan 50

source template 802_1x

 

int gi1/2

switchport mode access

switchport access vlan 50

source template 802_1x

0 Helpful
Reply
Highlighted
Greg Gibbs
Cisco Employee
Cisco Employee
In response to getaway51
‎07-30-2020 04:40 PM
‎07-30-2020 04:40 PM

I'm not sure I understand the question but without 'switchport mode access' configured on the port, any of the unsupported settings in your source template will not be applied properly.

As this is not a supported configuration, I would recommend against applying that template to any ports that are not configured with 'switchport mode access' as it could result in unexpected/unpredictable behaviours.

If you need to apply only the supported template settings to a port that is not configured for 'switchport mode access' for some reason, I would recommend creating a different template without the unsupported commands and applying that instead.

View solution in original post

0 Helpful
Reply
Highlighted
getaway51
Explorer
Explorer
In response to Greg Gibbs
‎07-31-2020 12:58 AM
‎07-31-2020 12:58 AM

Hi,


Command rejected (GigabitEthernet5/47): Mab not supported on this interface.
Interface GigabitEthernet5/47 Command rejected: Dot1x is not supported on this interface.

 

When I applied the command, error was MAB and Dot1x not supported. Therefore I thought 802.1x commands in the source template such as MAB & Dot1x auth will not be applied. However when CLOSED mode enabled, the port was DROP.

Status was UZ-unauthorized. What puzzled me was even though error above says Mab and Dot1x not supported but CLOSED mode eventually DROP the port. 

 

0 Helpful
Reply
Latest Contents
SecureX Frequently Asked Questions
Created by adisanka on 03-01-2021 08:33 AM
0
10
0
10
GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the SecureX regio... view more
Bridge the security gap with Cisco Remote Secure Worker
Created by Kelli Glass on 02-26-2021 04:37 PM
0
0
0
0
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use. Learn about Cisco Remote Secure Worker solutions that verify workers, secu... view more
ISE Performance & Scale
Created by howon on 02-24-2021 08:26 PM
11
219
11
219
  GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the Secur... view more
Detecting and Responding to the SolarWinds Infrastructure At...
Created by aligarci on 02-23-2021 08:19 AM
0
5
0
5
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr... view more
Arista CloudVision WiFi Dictionary and NAD Profile for ISE I...
Created by hslai on 02-21-2021 01:59 PM
0
10
0
10
Attached are the dictionary and NAD profile as described in Arista CloudVision WiFi Integration with Cisco ISE .
Content for Community-Ad