11-07-2011 12:57 PM
I am currently trying to use LMS 3.2 Compliance management to verify and alter our access port configurations for 802.1x. Below is our current configuration:
switchport access vlan XX
switchport mode access
authentication control-direction in
authentication event fail retry 0 action authorize vlan XXX
authentication event no-response action authorize vlan XXX
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 1
dot1x max-reauth-req 1
storm-control broadcast level 75.00
spanning-tree portfast
spanning-tree bpduguard enable
I require the configurations to be changed to:
switchport access vlan XX
switchport mode access
authentication event fail action authorize vlan XXX
authentication event no-response action authorize vlan XXX
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 8
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast spanning-tree bpduguard enable
Addtionally, I require LMS to verify that the port is indeed an access port with 802.1x already applied to it before adjusting the configurations. I have tried pushing this compliance check out with a prerequisite of having "switchport mode access" applied to it, and then having the next command set state:
Submode: interface [#Ethernet*/*/*#]
- dot1x max-req 1
- dot1x max-reauth-req 1
+ no dot1x max-req 1
+ no dot1x max-reauth-req 1
This was a simple test on a single device to see if I could remove the limits on authentication and requests entered. The job states successful and there are no devices that are non-compliant, however no changes to the device configurations have been made. I seek assistance in command syntax or if there is another way to push this out, as I have about 1k network devices to go through and make these changes.
11-08-2011 11:19 AM
The following tempalte should do what you want:
Name: Global SubMode: No isPrerequisite: No Ordered : No Prerequisite-Commandset : none Parent: none Name: Switchport SubMode: Yes isPrerequisite: Yes Ordered : No Prerequisite-Commandset : none Parent: none interface [#FastEthernet.*#] +[#switchport mode access#] Name: 802fix SubMode: No isPrerequisite: No Ordered : No Prerequisite-Commandset : Switchport Parent: Switchport -dot1x max-req 1 -dot1x max-reauth-req 1Note that I have changed to [#FastEthernet.*#] to be applied on
FastEthernet interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide