Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2490
Views
20
Helpful
8
Replies

This switch can support dot1x?

Go to solution
eigrpy
Level 4
Level 4

‎02-09-2021 11:29 AM - edited ‎02-09-2021 12:01 PM

Hi Do you think switch 3560 can support dot1x? I can type command “dot1x system-auth-control” in this switch, but I cannot type some of commands( like command:  authentication event fail action next-method etc) on each interface. The ios info is below. Thank you

C3560-IPBASEK9-M, Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1)

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
amikat
Spotlight
Spotlight

‎02-09-2021 01:26 PM

Hi,

The "authentication event" command was introduced at the 12.2(50)SE IOS release. Starting this release the significant syntax change happened as for the 802.1x commands. For 12.2(46)SE and earlier versions the majority of 802.1x  commands were different to the later versions (the syntax started usually with the "dot1x" keyword those days). So as for your IOS release you can probably configure eg. the "dot1x auth-fail vlan" command. To use "authentication event" command for your box you should upgrade to 12.2(50)SE or later.

Best regards,

Antonin

 

View solution in original post

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎02-09-2021 03:37 PM

@eigrpy wrote:

12.2(25)SEE2

12.2(25)SEE train does not support DOT1X.

The commands may be present but that is as far as it goes. 

Another thing, last digit to the train is a "2" -- It can be as buggy as it gets.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
TJ-20933766
Spotlight
Spotlight

‎02-09-2021 12:08 PM

Strange. I'm able to use the command "authentication event fail action next-method" on an interface on same model of switch.

C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(58)SE2, RELEASE SOFTWARE (fc1)

Have you configured all the "aaa" commands?

 

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni

‎02-09-2021 12:32 PM

Is your radius configuration are correct?

 

ip domain-name xyz.com
crypto key gen rsa gen mod 2048
ip http secure-server
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update newinfo period 1440 (24 hours)
!
!
sending test radius 
username radius-test password password
!
each node ip address
radius-server host x.x.x.x auth-port 1812 acctp-port acct-port 1813 test username radius-test key shared_secret
!
to check if the switch is alive or dead
radius-server dead-criteria time 5 tries 3
radius-server deadtime 15
!
!
enabling the change of Authorization (CoA), repeat the command for each of POL and the moinitoring (MNT) nodes of the ISE cube
!
aaa server radius dynamic-author
client x.x.x.x server-key  shared_secret
!
cisco vendor specific attribute (VSA)
radius-server vsa send authentication
radius-server vsa send accounting
!
attributes  includeded service-type, framed-ip-address, and class attribute
radius-server attributes 6 on-for-login-auth
radius-server attributes 8 include-in-access-req
radius-server attributes 25 access-request include
!
radius dot1x authentication
radius dot1x logging
!
always good practice to use a managment ip address
ip radius source-interface NAME
!
epm logging
!
interface range g1/0/1 - 20
 ! Make sure that the ports should at least have switchport mode access or it won't take the commands.
 authentication port-control auto
 dot1x pae authenticator
 authentication host-mode multi-auth
 errdisable detect cause security-violation shutdown vlan
 errdisable recovery cause security-violation
!
In the IOS 12.x, this would’ve been a different command. The command in the old world is dot1x port-control auto.
snmp-server trap-source NAME
snmp-server source-interface inform NAME

here is the link for switch config here 

 

 

please do not forget to rate.
0 Helpful

Go to solution
amikat
Spotlight
Spotlight

‎02-09-2021 01:26 PM

Hi,

The "authentication event" command was introduced at the 12.2(50)SE IOS release. Starting this release the significant syntax change happened as for the 802.1x commands. For 12.2(46)SE and earlier versions the majority of 802.1x  commands were different to the later versions (the syntax started usually with the "dot1x" keyword those days). So as for your IOS release you can probably configure eg. the "dot1x auth-fail vlan" command. To use "authentication event" command for your box you should upgrade to 12.2(50)SE or later.

Best regards,

Antonin

 

Go to solution
eigrpy
Level 4
Level 4
In response to amikat

‎02-09-2021 02:53 PM

Thank you very much for help. Of course I added aaa new-model. I think Antonin is right and I need to upgrade the ios. 

At this moment, I cannot download the new ios from Cisco. I am going to ask a silly question, anyone can give some suggestions where I can download the ios from non cisco website for practice? 

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎02-09-2021 03:37 PM

@eigrpy wrote:

12.2(25)SEE2

12.2(25)SEE train does not support DOT1X.

The commands may be present but that is as far as it goes. 

Another thing, last digit to the train is a "2" -- It can be as buggy as it gets.

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to Leo Laohoo

‎02-09-2021 09:21 PM

@amikat, are you sure this is ios version issue?  I upgraded the ios, it looks like it still does not work. below is output of version.

 

Switch(config)#do sh ver
Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 28-Jan-13 10:10 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02D00000

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

Switch uptime is 13 minutes
System returned to ROM by power-on
System image file is "flash:/c3560-ipbasek9-mz.122-55.SE7.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
--More--

0 Helpful

Go to solution
amikat
Spotlight
Spotlight
In response to eigrpy

‎02-09-2021 11:43 PM

Hi,

Thanks for the feedback. Please make sure your switch port is configured as access (switchport mode access) first, not the default "auto". 

The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports. Other restrictions apply - please check the Configuration Guide.

Best regards,

Antonin

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to amikat

‎02-10-2021 07:06 AM

It works. Thank you!

Customers Also Viewed These Support Documents