08-09-2011 08:55 AM - edited 03-07-2019 01:37 AM
Hello,
I have two switches running updated IOS's. They are both 3560's. On one of them the "dot1x auth-fail" setting is available on the other one it is not.
HERE IS SWITCH #1 :
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C3560-24PS 12.2(53)SE2 C3560-IPBASEK9-M
When I go to configure dot1x on an interface, here are the options I have:
SwitchA_3560_24_A#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA_3560_24_A(config)# int f0/5
SwitchA_3560_24_A(config-if)#dot1x ?
credentials Credentials profile configuration
default Configure Dot1x with default values for this port
max-reauth-req Max No.of Reauthentication Attempts
max-req Max No.of Retries
max-start Max No. of EAPOL-Start requests
pae Set 802.1x interface pae type
supplicant Configure supplicant parameters
timeout Various Timeouts
SwitchA_3560_24_A(config-if)#dot1x
As you can see, there is no "auth-fail" settings
HERE IS SWITCH #2 :
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C3560G-24PS 12.2(44)SE2 C3560-IPBASEK9-M
When I do to configre dot1x, here are the options:
SwitchB_3560GPWR_A#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB_3560GPWR_A(config)#int g0/5
SwitchB_3560GPWR_A(config-if)#dot1x ?
auth-fail Configure Authentication Fail values for this port
control-direction Set the control-direction on the interface
critical Enable 802.1x Critical Authentication
default Configure Dot1x with default values for this port
fallback Enable the Webauth fallback mechanism
guest-vlan Configure Guest-vlan on this interface
host-mode Set the Host mode for 802.1x on this interface
mac-auth-bypass Enable MAC Auth Bypass
max-reauth-req Max No.of Reauthentication Attempts
max-req Max No.of Retries
pae Set 802.1x interface pae type
port-control set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout Various Timeouts
violation-mode Set the Security Violation mode on this interface
SwitchB_3560GPWR_A(config-if)#dot1x
As you can see, "auth-fail" is the first setting and there are a lot more settings
Why do I have one set on one switch and another set on another switch?
One switch is a G switch while the other (with less options) is a FastEthernet switch. Is this the difference?
Is there a way to activate the features I am missing without new hardware?
Thanks.
Solved! Go to Solution.
08-09-2011 09:14 AM
Jack,
The dot1x auth-fail seems to have been replaced by the following command:
authentication event fail retry N action authorize vlan X
where X is the number of the auth-fail (restricted) VLAN, and the N is a number you would use in the dot1x auth-fail max-attempts command, decreased by one. A configuration of the form
dot1x auth-fail vlan 999
dot1x auth-fail max-attempts 2
would be rewritten as
authentication event fail retry 1 action authorize vlan 999
Try this out.
Best regards,
Peter
08-09-2011 09:14 AM
Jack,
The dot1x auth-fail seems to have been replaced by the following command:
authentication event fail retry N action authorize vlan X
where X is the number of the auth-fail (restricted) VLAN, and the N is a number you would use in the dot1x auth-fail max-attempts command, decreased by one. A configuration of the form
dot1x auth-fail vlan 999
dot1x auth-fail max-attempts 2
would be rewritten as
authentication event fail retry 1 action authorize vlan 999
Try this out.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: