Solved: Re: Unable to enter auth commands within an interface.... NAC related.

James L · ‎03-10-2020

Hi. Trying to setup a 3560CX in the Lab with NAC configuration to test posturing. It seems none of the Auth* commands are accepted....

Any pointers...

switch#sh lic

Index 1 Feature: ipservices

Period left: 12 weeks 6 days

License Type: Evaluation

License State: Active, Not in Use, EULA not accepted

License Priority: None

License Count: Non-Counted

Index 2 Feature: ipbase

Period left: 0 minute 0 second

switch#

switch#sh inv
NAME: "1", DESCR: "WS-C3560CX-12PC-S"
PID: WS-C3560CX-12PC-S , VID: V03 , SN:xxx

switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#int g0/1
switch(config-if)#auth
switch(config-if)#auth ?
% Unrecognized command
switch(config-if)#auth?
% Unrecognized command
switch(config-if)#auth
^
% Invalid input detected at '^' marker.

switch(config-if)#

Thanks.

juan.yanez · ‎11-20-2020

check if the "switchport mode access" command is within the configuration port.

View solution in original post

Colby LeMaire · ‎03-11-2020

Depending on your version of software, it could be that it is using the new commands starting with "access-session". See if you have those commands. Or post the software version you are using so we can know for sure.

Cristian Matei · ‎03-11-2020

Hi,

3560x runs the old, now legacy commands for 802.1x, so commands are supported. Before trying again, make sure that:

- you've configured the port as layer 2, access mode

- dot1x is globally enabled

- for some command to show up, mostly global commands, aaa needs to be enabled as well (aaa new-model)

Regards,

Cristian Matei.

James L · ‎03-11-2020

Hi Cristian,

Yes I do have the AAA config in global mode. Extract of config is below…

I am also doing TACACS back to the ISE Servers (hence why there is TACACS config as well)…

switch#sh run

Building configuration...

Current configuration : 5953 bytes

!

! Last configuration change at 21:09:53 AEDT Wed Mar 11 2020 by blah

! NVRAM config last updated at 21:09:54 AEDT Wed Mar 11 2020 by blah

!

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

service linenumber

service sequence-numbers

!

hostname switch

!

boot-start-marker

boot-end-marker

!

logging count

logging userinfo

logging buffered 32768

enable secret 5 aaa

!

username cisco privilege 15 secret 5 aaa

aaa new-model

!

aaa group server tacacs+ default

server name ISE01

server name ISE02

!

aaa group server radius dot1x_auth

server name ISE1

server name ISE2

!

aaa authentication login default local group tacacs+

aaa authentication login console local

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group dot1x_auth

aaa authorization config-commands

aaa authorization exec default local group tacacs+

aaa authorization commands 15 default local group tacacs+

aaa authorization network default group dot1x_auth

aaa accounting update newinfo

aaa accounting dot1x default start-stop group dot1x_auth

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa server radius dynamic-author

client 192.168.10.71 server-key 7 aaa

client 192.168.10.72 server-key 7 aaa

!

aaa session-id common

clock timezone AEST 10 0

clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00

system mtu routing 1500

!

ip domain-name blah.net.au

ip device tracking probe delay 10

vtp domain home

vtp mode transparent

!

udld aggressive

!

mab request format attribute 32 vlan access-vlan

!

dot1x system-auth-control

dot1x critical eapol

identity profile default

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree extend system-id

!

vlan 10

!

lldp run

!

interface GigabitEthernet0/1

switchport access vlan 10

spanning-tree portfast edge

!

<.....>

!

interface GigabitEthernet0/16

switchport access vlan 10

spanning-tree portfast edge

!

interface Vlan1

ip address dhcp

shutdown

!

interface Vlan10

ip address 192.168.10.127 255.255.255.0

!

ip default-gateway 192.168.10.1

ip forward-protocol nd

!

ip http server

ip http secure-server

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh logging events

ip ssh version 2

ip tacacs source-interface Vlan10

!

ip access-list extended PREAUTH

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit udp any any eq tftp

deny ip any any log

!

tacacs server ISE01

address ipv4 192.168.10.71

key 7 aaa

tacacs server ISE02

address ipv4 192.168.10.72

key 7 aaa

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server attribute 31 mac format ietf upper-case

radius-server attribute 31 send nas-port-detail

radius-server dead-criteria tries 2

radius-server key 7 aaa

!

radius server ISE1

address ipv4 192.168.10.71 auth-port 1812 acct-port 1813

key 7 aaa

!

radius server ISE2

address ipv4 192.168.10.72 auth-port 1812 acct-port 1812

key 7 aaa

!

line con 0

exec-timeout 0 0

privilege level 15

login authentication console

line vty 0 4

privilege level 15

password 7 aaa

logging synchronous

transport input telnet ssh

line vty 5 14

privilege level 15

password 7 aaa

logging synchronous

transport input telnet ssh

line vty 15

privilege level 15

password 7 aaa

logging synchronous

transport input telnet ssh

!

ntp server 192.168.10.1

!

end

switch#

Cristian Matei · ‎03-11-2020

Hi,

Your ports area dynamic layer 2 ports (can become access or trunk) and this is your problem. Make them static access ports via command "switchport mode access".

Regards,

Cristian Matei.

juan.yanez · ‎11-20-2020

check if the "switchport mode access" command is within the configuration port.