Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
3
Helpful
2
Replies

Testing 802.1X authentication on Catalyst 9000v 17.12.01prd9

Go to solution
rezaalikhani
Spotlight
Spotlight

‎04-05-2024 04:02 AM

Hello;

As you know, Cisco has released CML 2.7, and along with that, it has introduced several new images like Catalyst 9000v 17.12.01prd9. Base on my personal testing, it is certain that the previous image did not support 802.1X. Has anybody managed to test 802.1X on the newly released image?

Thanks

 

1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-07-2024 01:49 PM

Hi @rezaalikhani 

Yeah I tested it the day it got released. I only got as far as testing MAB, and I can report that it works well.  The previous release had all the IOS-XE commands, but they did nothing, because the release did not have a functioning Session Manager Daemon (smd). I don't see why 802.1X won't work. I had to hack together a FreeRADIUS server on an Ubuntu CML client for my MAB testing and I didn't have the stomach to figure out how 802.1X is done in FreeRADIUS. I love the idea of FreeRADIUS, but ISE is a whole lot easier to manage.

CML 2.7 also released two new images - IOL (IOS-XE on Linux). This is similar to what Cisco did many, many years ago with IOU (IOS on (Sun) Unix) - a highly compact binary that doesn't emulate a certain model of switch/router, but rather, is like a generic device. They released IOS-XE router and IOS-XE switch. Unfortunately, that switch does not support NAC - commands like "show session" and "show authentication" are missing. But other NAC commands are there. Annoying. Because the C9Kv eats up your CPU, whereas you can run tens of IOL instances and they boot in seconds, and hardly dent your CPU performance. 

View solution in original post

2 Replies 2

Go to solution
ahollifield
VIP
VIP

‎04-05-2024 06:22 AM

I kind of doubt it just because of the way EAP/EAPoL works.  I could be wrong, but I would think simulating the client EAPoL start would be very difficult.  

802.1X/MAB are not officially tested or supported features: https://developer.cisco.com/docs/modeling-labs/#!cat-9000v/cat-9000v

Go to solution
Arne Bier
VIP
VIP

‎04-07-2024 01:49 PM

Hi @rezaalikhani 

Yeah I tested it the day it got released. I only got as far as testing MAB, and I can report that it works well.  The previous release had all the IOS-XE commands, but they did nothing, because the release did not have a functioning Session Manager Daemon (smd). I don't see why 802.1X won't work. I had to hack together a FreeRADIUS server on an Ubuntu CML client for my MAB testing and I didn't have the stomach to figure out how 802.1X is done in FreeRADIUS. I love the idea of FreeRADIUS, but ISE is a whole lot easier to manage.

CML 2.7 also released two new images - IOL (IOS-XE on Linux). This is similar to what Cisco did many, many years ago with IOU (IOS on (Sun) Unix) - a highly compact binary that doesn't emulate a certain model of switch/router, but rather, is like a generic device. They released IOS-XE router and IOS-XE switch. Unfortunately, that switch does not support NAC - commands like "show session" and "show authentication" are missing. But other NAC commands are there. Annoying. Because the C9Kv eats up your CPU, whereas you can run tens of IOL instances and they boot in seconds, and hardly dent your CPU performance. 

Customers Also Viewed These Support Documents