Catalyst 2960 Dot1X Missing Commands

admin · ‎05-02-2016

Hi all,

I'm having some trouble configuring dot1x on my switch. I'm new to the cisco world but it would seem the documentation is misleading or incorrect regarding the reauthentication commands.

I am running IOS version 15.0.2SE9 and the following commands don't seem to be recognized despite them being listed in the documentation below:

dot1x re-authenticate

dot1x reauthentication

dot1x timeout reauth-period

along with a few others.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-0_2_se/command/reference/cr2960.pdf

Oddly enough if I type out the commands the CLI will accept some of them but no changes are actually reflected when showing the running config. On another note, the switch is also not honoring the "Session-Timeout" or "Termination-Action" KVPs fromt he radius server.

Any help would be much appreciated.

Rolf Fischer · ‎05-03-2016

Hi,

the 'dot1x' has widely been replaced by the 'authentication' keyword on newer switches/software. Some of the old commands are still available, which can be confusing sometimes.

I'd recommend to use the c2960 Software Configuration Guides.

Here you can find the Configuring IEEE 802.1x Port-Based Authentication chapter.

RADIUS configurtion has been slightly changed, you can find it in the Configuring Switch-Based Authentication chapter.

HTH
Rolf

P.S.: Regarding the EXEC-level commands I found this CSC discussion.There is a feedback link in Cisco documentation (right side) but I don't know if anybody reads the suggestions we leave there ...

fredrik@skne.se · ‎11-19-2020

I'm running

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 12 WS-C2960CX-8PC-L 15.2(7)E C2960CX-UNIVERSALK9-M

and I'm missing all dot1x/authentication/MAB commands on interface level. I think i have all commands on global configuration. Is this a license nowdays? Do I need to type a command to enable them?

Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int gigabitEthernet 0/2
Switch(config-if)#?
Interface configuration commands:
aaa Authentication, Authorization and Accounting.
access-session Access Session specific Interface Configuration Commands
arp Set arp type (arpa, probe, snap) or timeout or log options
auto Configure Automation
bandwidth Set bandwidth informational parameter
bgp-policy Apply policy propagated by bgp community string
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
channel-group Etherchannel/port bundling configuration
channel-protocol Select the channel protocol (LACP, PAgP)
crypto Encryption/Decryption commands
cts Configure Cisco Trusted Security
dampening Enable event dampening
datalink Interface Datalink commands
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
down-when-looped Force looped interface down
downshift link downshift feature
duplex Configure duplex operation.
exit Exit from interface configuration mode
flow-sampler Attach flow sampler to the interface
flowcontrol Configure flow operation.
help Description of the interactive help system
history Interface history histograms - 60 second, 60 minute and 72 hour
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
ipv6 IPv6 interface subcommands
keepalive Enable keepalive
lacp LACP interface subcommands
link Interface link related commands
lldp LLDP interface subcommands
load-interval Specify interval for load calculation for an interface
location Interface location information
logging Configure logging for interface
mac MAC interface commands
macro Command macro
mdix Set Media Dependent Interface with Crossover
mls mls interface commands
mvr MVR per port configuration
neighbor interface neighbor configuration mode commands
network-policy Network Policy
nmsp NMSP interface configuration
no Negate a command or set its defaults
onep Configure onep settings
ospfv3 OSPFv3 interface commands
pagp PAgP interface subcommands
power Power configuration
priority-queue Priority Queue
queue-set Choose a queue set for this queue
rmon Configure Remote Monitoring on an interface
routing Per-interface routing configuration
service-policy Configure CPL Service Policy
shutdown Shutdown the selected interface
small-frame Set rate limit parameters for small frame
snmp Modify SNMP interface parameters
source Get config from another source
spanning-tree Spanning Tree Subsystem
speed Configure speed operation.
srr-queue Configure shaped round-robin transmit queues
storm-control storm configuration
subscriber Subscriber inactivity timeout value.
switchport Set switching mode characteristics
timeout Define timeout values for this interface
topology Configure routing topology on the interface
transmit-interface Assign a transmit interface to a receive-only interface
tx-ring-limit Configure PA level transmit ring limit
udld Configure UDLD enabled or disabled and ignore global UDLD setting
vtp Enable VTP on this interface

Switch(config-if)#

amikat · ‎11-19-2020

Hi,

You should start with the "aaa new-model" and "aaa authentication dot1x" global configuration commands.

Best regards,

Antonin

fredrik@skne.se · ‎11-19-2020

Yes I have those command in running configuration, btw I have dot1x working on other, older, switches and routers. I have it working for year on other switches. Like on this 3560 that is running 15.2

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 10 WS-C3560CG-8PC-S 15.2(2)E10 C3560c405ex-UNIVERSALK9-M

Everything else seems to be working including "test aaa group radius testuser testpassword new-code" on the 2960x. It's just that dot1x commands are missing. All guides i have read says that some commands my have changed name to authentication/access-session. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-2_4_e/configurationguide/b_1524e_consolidated_2960p_2960c_cg/b_1524e_consolidated_2960p_2960c_cg_chapter_0110100.html

on my 3560:

3560CG-SW(config-if)#access-session ?
closed Enable closed access on port (disabled by default, i.e. open access)
control-direction Set the control-direction on the interface
host-mode Set the Host mode for authentication on this interface
inherit Access Session Inherit
interface-template Set the local interface-template sticky
monitor Apply globally defined access-session monitor
port-control Set the port-control value

3560CG-SW(config-if)#authentication ?
control-direction Set the control-direction on the interface
event Set action for authentication events
fallback Enable the Webauth fallback mechanism
host-mode Set the Host mode for authentication on this interface
linksec Configure link security parameters
open Enable or Disable open access on this port
order Add an authentication method to the order list
periodic Enable or Disable Reauthentication for this port
port-control Set the port-control value
priority Add an authentication method to the priority list
timer Set authentication timer values
violation Configure action to take on security violations

and I only get:

2960CX-SW(config-if)#access-session ?
inherit Access Session Inherit
interface-template Set the local interface-template sticky
monitor Apply interface defined access-session monitor

2960CX-SW(config-if)#auth?
% Unrecognized command

amikat · ‎11-20-2020

Hi,

Thanks for the reply. Provided you have also "dot1x system-auth-control" configured please make sure you have configured your interface as access ("switchport mode access") first as with some platforms and IOS releases only after this static assignment the authentication & dot1x commands appear.

If still not success you may consider to upgrade the IOS version as I can remember some bug/issue as for the aaa authentication in your IOS release. The authentication & dot1x commands are nowadays more or less the same accross all the Catalyst platforms.

Best regards,

Antonin

Damien Miller · ‎11-19-2020

I would also recommend following Hari's prescriptive deployment guide for wired NAC. This will provide you a complete run down of the features, and configuration examples.
https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515