Solved: 3560 Switch: dot1x auth-fail not available

jack · ‎08-09-2011

Hello,

I have two switches running updated IOS's. They are both 3560's. On one of them the "dot1x auth-fail" setting is available on the other one it is not.

HERE IS SWITCH #1 :

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 26 WS-C3560-24PS 12.2(53)SE2 C3560-IPBASEK9-M

When I go to configure dot1x on an interface, here are the options I have:

SwitchA_3560_24_A#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA_3560_24_A(config)# int f0/5
SwitchA_3560_24_A(config-if)#dot1x ?
credentials     Credentials profile configuration
default         Configure Dot1x with default values for this port
max-reauth-req Max No.of Reauthentication Attempts
max-req         Max No.of Retries
max-start       Max No. of EAPOL-Start requests
pae             Set 802.1x interface pae type
supplicant      Configure supplicant parameters
timeout         Various Timeouts

SwitchA_3560_24_A(config-if)#dot1x

As you can see, there is no "auth-fail" settings

HERE IS SWITCH #2 :

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 28 WS-C3560G-24PS 12.2(44)SE2 C3560-IPBASEK9-M

When I do to configre dot1x, here are the options:

SwitchB_3560GPWR_A#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB_3560GPWR_A(config)#int g0/5
SwitchB_3560GPWR_A(config-if)#dot1x ?
auth-fail          Configure Authentication Fail values for this port
control-direction Set the control-direction on the interface
critical           Enable 802.1x Critical Authentication
default            Configure Dot1x with default values for this port
fallback           Enable the Webauth fallback mechanism
guest-vlan         Configure Guest-vlan on this interface
host-mode          Set the Host mode for 802.1x on this interface
mac-auth-bypass    Enable MAC Auth Bypass
max-reauth-req     Max No.of Reauthentication Attempts
max-req            Max No.of Retries
pae                Set 802.1x interface pae type
port-control       set the port-control value
reauthentication   Enable or Disable Reauthentication for this port
timeout            Various Timeouts
violation-mode     Set the Security Violation mode on this interface

SwitchB_3560GPWR_A(config-if)#dot1x

As you can see, "auth-fail" is the first setting and there are a lot more settings

Why do I have one set on one switch and another set on another switch?

One switch is a G switch while the other (with less options) is a FastEthernet switch. Is this the difference?

Is there a way to activate the features I am missing without new hardware?

Thanks.

Peter Paluch · ‎08-09-2011

Jack,

The dot1x auth-fail seems to have been replaced by the following command:

authentication event fail retry N action authorize vlan X

where X is the number of the auth-fail (restricted) VLAN, and the N is a number you would use in the dot1x auth-fail max-attempts command, decreased by one. A configuration of the form

dot1x auth-fail vlan 999

dot1x auth-fail max-attempts 2

would be rewritten as

authentication event fail retry 1 action authorize vlan 999

Try this out.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎08-09-2011