cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3986
Views
5
Helpful
12
Replies

CBS250 and 802.1X + MAC Authentication

dtspwiley
Level 1
Level 1

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/CBS_250_350/CLI/CLI_CBS_250.pdf

-----------------------------------------------
Page 41-42, Section 3.3 dot1x authentication

Example
The following example enables authentication based on 802.1x and the station’s MAC address
on port gi1:
switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# dot1x authentication 802.1x
-----------------------------------------------

On my CBS250-48P-4G, I am trying to configure a port with the command found in the example above and get the following:

 

switch666#config
switch666(config)#interface gi1
switch666(config-if)#dot1x authentication 802.1x
% Unrecognized command

dot1x + ? yields that the 'authentication' options are missing:

 

2022-02-03 14_50_28-COM5 - PuTTY.png

 

other info:

-----------

switch666#show ver
Active-image: flash://system/images/image_cbs250_ros_3.1.1.7_release_cisco_signed.bin
Version: 3.1.1.7
MD5 Digest: 4805a22186295e82609a0a3e6def88e0
Date: 12-Aug-2021
Time: 15:02:37
Inactive-image: flash://system/images/image1.bin
Version: 3.0.0.69
MD5 Digest: 7520543df10e96a355ec0d1bd5785e39
Date: 27-Aug-2020
Time: 15:58:09

 

Is not the CB250 capable of 802.1X + MAC Authentication ?

12 Replies 12

balaji.bandi
Hall of Fame
Hall of Fame

have you issued below command :

 

aaa authentication dot1x default {radius | none | {radius none}}

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

The command:
aaa authentication dot1x default radius
is part of my configuration, but that is a global command. Not an interface command.

yes have you configured that in global and try to add 802.1x config interface is not working ?

 

can you post show run ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes.....
aaa authentication dot1x default radius
..... is configured globally and the command on the interface still yields:
switch666#config
switch666(config)#interface gi1
switch666(config-if)#dot1x authentication 802.1x
% Unrecognized command

I can send you a show run at a later date if you still feel that is valuable. I would love to see proof that the command:

dot1x authentication 802.1x

is valid on a CBS200 series switch before sending my config. I recently found an older publication/comparison on the SG series that shows that the SG250 does not support MAC based authentication, but the SG350 does indeed support MAC based authentication. Yes, I know that the SG series is a different model, however on the official model mapping:

https://www.cisco.com/c/en/us/products/collateral/switches/business-250-series-smart-switches/nb-06-bus-switch-trans-guide-cte-en.html#Modelmapping

Model mapping shows that the SG250 maps to the CBS250
Model mapping shows that the SG350 maps to the CBS350

This is the first time using a CBS series as we normally use the SG series, and the SG is no longer available. So our vendor sold us the CBS250 stating the only difference is that the CBS200 services is a non-stacking switch. I have both SG2xx and SG3xx flavors of switches and confirmed that dot1x authentication 802.1x does not work on SG220, but does on our SG350. So my presumption is that this is not supported on CBS250. I'd love someone to show me otherwise.

i do not have these models to test, i am just trying to help you if that helps you to send the show run config.

 

as i look at simulator/emulator lower model CBS220 - i see options in GUI i pasted below - if you still looking for accurate information contact SMB TAC to help you, they work daily with more customers and they know deep understanding of the product.

 

image.png

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BB - thanks for your help.  Your GUI from the emulator looks consistent with what I am expecting to see, and is consistent with what I see in my SG3xx series.  However, my CBS250 does have the highlighted 802.1X as listed, but I am missing TACTACTS+ and when I dive into the Radius (which I am also using), it is missing the some of the key menu items I believe I need and highlighted.  Config attached.

 

SG350-Compared-CB250 — Mozilla Firefox.png

 

SG350-Compared-CB250 — Mozilla Firefox 2.png

i would suggest to call SMB tac for clarificaiton.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

matthias.muench
Level 1
Level 1

hello,

we are facing the same issue.
Any news?!
We really need this feature working on 70+ switches (cbs250)

We ended up using SG3xx series switches and abandoned using the 250s. 

sure SG3XX more features compare to 250X ( also worth looking EoL - as of now there is no replacement for small business switches in the roadmap of cisco).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

i am talking about CBS250 series (the recent model)

no option for me... we recently bought them, there is no way i can justify switching them now....
How should i have known before buying that this is not working?! Its even documented?! and no Feedback from cisco... very sad to see....