cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5228
Views
10
Helpful
11
Replies

Dot1x configuration change on Cisco 2960

Hello Experts -

 

I have Cisco WS-C2960X-24TS-LL Switches on which I earlier configured the below mentioned Dot1x configuration which was working fine the User was getting authorized and authenticated by the configuration. Now issue is when i configure the switch with old configuration syntax it gives an error "%Command deprecated (authentication port-control auto ) - use access-session instead". Now when I configure the interface with "access-session port-control auto" command, it now does not authenticating the interface. When I type " Show dot1x interface gig 0/11 details" it shows " Dot1x Authenticator Client List Empty ". Earlier authentication successful snapshot is attached for reference.

Kindly provide a solution. I will appreciate it.

 

OLD Configuration :

Interface gig 0/11

dot1x pae authenticator

authentication port-control auto

New Configuration:

Interface gig 0/11

dot1x pae authenticator

access-session host-mode single-host
access-session port-control auto

 

1 Accepted Solution

Accepted Solutions

I don't think its a question of where the IBNS2.0 configuration is saved its just an OS thing.  Same thing as entering aaa new-model that command is also non-reversible without a factory reset.

View solution in original post

11 Replies 11

Hi,

If you are using the "access-session" commands then you are using IBNS 2.0, have you configured the required service-policy etc? IBNS 2.0 deployment guide for your reference

 

HTH

Hey thank you so much for this guide. but issue is in my switches I dont have a policy command. Is there any way to revert back to the legacy style i.e. "authentication port-control" command style ?

 

As there are now configured IBNS2.0 commands you cannot revert to legacy mode, reference here. I think the only way to do this is wipe the switch.

 

If this was working previously did you upgrade the switch firmware?

Thanks much, I am getting only this command "authentication display config-mode"' instead of "authentication display new-style"'. further I updates the switch firmware earlier it was working even after updated the switch firmware it worked but suddenly it stopped. Please suggest should I revert to the older version of switch? or any other solution because I need to configure Dot1x authentication

I don't see any information in the 2960 release notes to say that the old style IBNS 1.0 configuration is no longer supported, so you may not need to downgrade the IOS.

You can still use dot1x with this new IBNS2 configuration, but if you want to use the old style then if IBNS 2.0 commands is configured, you can only revert by erasing the configuration of the switch.

HTH

Can you share the complete erasing configurations of the switch just to confirm me the correct way. I will appreciate it.

If you have a copy of the old-style configuration in flash, then you may try

copy flash:<old-style-configuration-filename> start

reload

Franz1879
Level 1
Level 1

Hi all, 

I have a similiar problem with Cisco 9200L where I have configured aaa for 802.1X. I suspect that by configuring aaa, an Accouting command from IBNS 2.0 was inadvertently entered and it has changed the Authentication Display to new-style. In that situation, this has invalidated all che aaa old-style configuration! 

When I enter the command  authentication display config-mode the output is:
Current configuration mode is new-style

I cleared all the aaa configuration with no aaa new-model but nothing is changed. The current configuration has not been saved in NVRAM so in case of reload the switch will reboot with no aaa new-model in startup config. 

Will this be enough to return to the aaa old style mode ? There is any other solution ? 

I think it is very strange and dangerous as it invalidate all the 802.1X configuration and on the Config Guide is reported that it is irreversible!

Any hlep is appreciated.

Thanks

F

 

 

It is irreversible.  Your only option is a factory reset of the switch (write erase / reload).  Why not learn and use IBNS 2.0 though?  It is much more flexible than IBNS 1.0.

Hi Ahollifield and thank you for your reply.

The problem is that all others switches are configure in aaa legacy mode, so I prefer to continuing in that way.

If I understand well, the write erase is a necessary step, also if the acutal configuration in IBNS2.0 is not saved in NVRAM. Is it Correct ?

Regards

F

 

I don't think its a question of where the IBNS2.0 configuration is saved its just an OS thing.  Same thing as entering aaa new-model that command is also non-reversible without a factory reset.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: