Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 38, Issue 41

[Simon Baumann]

I just reconfigured my lab:

!
interface FastEthernet0/15
 switchport mode access
 dot1x pae authenticator
 dot1x port-control auto
 dot1x violation-mode protect
 dot1x guest-vlan 30
 dot1x auth-fail vlan 40
 spanning-tree portfast
end

--> client was put in the auf-fail vlan 40


!
interface FastEthernet0/15
 switchport mode access
 dot1x pae authenticator
 dot1x port-control auto
 dot1x violation-mode protect
 dot1x guest-vlan 30
 spanning-tree portfast
end

--> client: 12:33:30.953    Port state transition to  
AC_PORT_STATE_UNAUTHENTICATED 
(AC_PORT_STATUS_ERR_CLIENT_GENERIC_REJECTED)
12:33:30.953    The authentication process has failed.

Ok, according to this blog post http://tinyurl.com/mk6mcr , the client  
should be put in the guest-vlan. And it does!
But: I had to wait a long time and thought it didn't work at the first  
time. I think the time could be reduced when tuning the
timers.

Thanks for your help, guys!

Have a nice weekend
Simon



Am 27.08.2009 um 18:00 schrieb ccie_security- 
requ...@onlinestudylist.com:

Send CCIE_Security mailing list submissions to
        ccie_security@onlinestudylist.com

To subscribe or unsubscribe via the World Wide Web, visit
        http://onlinestudylist.com/mailman/listinfo/ccie_security
or, via email, send a message with subject or body 'help' to
        ccie_security-requ...@onlinestudylist.com

You can reach the person managing the list at
        ccie_security-ow...@onlinestudylist.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CCIE_Security digest..."


Today's Topics:

  1. Re: Verifying 802.1x guest vlan (Kingsley Charles)


----------------------------------------------------------------------

Message: 1
Date: Thu, 27 Aug 2009 14:47:42 +0530
From: Kingsley Charles <kingsley.char...@gmail.com>
Subject: Re: [OSL | CCIE_Security] Verifying 802.1x guest vlan
To: Tyson Scott <tsc...@ipexpert.com>
Cc: si...@simon-baumann.net, Paul Stewart <pestew...@gmail.com>,
        ccie_security@onlinestudylist.com
Message-ID:
        <83a2316b0908270217h1e3ea1b7td6db37cd71f5b...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Just wanted to add another point.

Let's say there 4 hosts connected to the switch port and guest vlan is
configured. Out of 4 hosts, if one hosts is 802.1x capable and sends  
the
EAPOL packet, the port is moved to un-authorized state and the
authentication process is started.

The guest vlan is enabled only till no EAPOL packets are heard from  
any of
the hosts. With *dot1x guest-vlan supplicant, *the guest vlan is still
enabled for failed clients irresepective of whether EAPOL is heard  
or not.

I hope, my understanding is correct. If I am wrong,  please correct  
me.


With regards
Kings

On Thu, Aug 27, 2009 at 2:28 PM, Kingsley Charles <
kingsley.char...@gmail.com> wrote:

Hi

The hosts that doesn't send the EAPOL packets are placed in the guest
VLANs.

The switch actually maintains an EAPOL packet history based on  
which it
places the host in the guest VLANs. If you want to place  
authorization
failed host in guest vlan then you need to configure *dot1x guest- 
vlan
supplicant.* This command disables the EAPOL history. Even, if the  
EAPOL
packets are detected, the failed clients are allowed to be placed  
on the
guest vlans.

With regards
Kings








 On Thu, Aug 27, 2009 at 2:42 AM, Tyson Scott  
<tsc...@ipexpert.com>wrote:

  Simon/Paul,



Test it to be sure because it has changed a couple times.  Try  
without the
auth-fail vlan and see if it is put into the guest vlan.  It may  
or may not.



Regards,



Tyson Scott - CCIE #13513 R&S and Security

Technical Instructor - IPexpert, Inc.


Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto:  tsc...@ipexpert.com



Join our free online support and peer group communities:
http://www.IPexpert.com/communities <http://www.ipexpert.com/communities 
>



IPexpert - The Global Leader in Self-Study, Classroom-Based, Video  
On
Demand and Audio Certification Training Tools for the Cisco CCIE  
R&S Lab,
CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and  
CCIE
Storage Lab Certifications.



*From:* ccie_security-boun...@onlinestudylist.com [mailto:
ccie_security-boun...@onlinestudylist.com] *On Behalf Of *Paul  
Stewart
*Sent:* Wednesday, August 26, 2009 2:32 PM
*To:* ccie_security@onlinestudylist.com
*Cc:* si...@simon-baumann.net
*Subject:* Re: [OSL | CCIE_Security] Verifying 802.1x guest vlan



My understanding is as follows.  The guest vlan is used if their  
is no
802.1x supplicant on the client (or it is disabled) and therefore no
response to an EAP Polling Beacon.  The auth-fail vlan is when the
authentication actually fails.  The device failing authentication  
will have
access to the vlan specified in auth-fail.  Your question was  
without a
auth-fail vlan configured, will the device have access?  I think  
you are
correct in saying it will not.  However, I need to double check that
myself.  According to the docCD, the default is "There is no auth- 
fail vlan
configured" which does leave a bit of room for ambiguity.


Today's Topics:

 1. Verifying 802.1x guest vlan. (Simon Baumann)


----------------------------------------------------------------------

Message: 1
Date: Wed, 26 Aug 2009 17:28:31 +0200
From: Simon Baumann <si...@simon-baumann.net>
Subject: [OSL | CCIE_Security] Verifying 802.1x guest vlan.
To: ccie_security@onlinestudylist.com
Message-ID: <12e0ad54-48df-4aa0-b025-86210f493...@simon-baumann.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes

Hi,
I just did a lab using cat3, acs, acs and xp for setting up an  
802.1x
environment. Everything works fine, I could assing different vlans
based on the user credentials, DHCP included running on the switch.
Here's the configuration of the port facing to the xp ws.

cat3#sh run int fa 0/15
Building configuration...

Current configuration : 184 bytes
!
interface FastEthernet0/15
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x guest-vlan 66
dot1x auth-fail vlan 66
end

cat3#

I extended it using an auth-fail and guest-vlan. Just for my
understanding: I could use the guest vlan to e. g. sperating guests
from my lan and only allowing them internet access or something like
this.
The auth-fail vlan is used, when the authentication fails. If none  
is
set, the port has no access. Is this correct?
TIA!

Cheers
Simon



End of CCIE_Security Digest, Vol 38, Issue 39
*********************************************



_______________________________________________
For more information regarding industry leading CCIE Lab training,  
please
visit www.ipexpert.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://onlinestudylist.com/pipermail/ccie_security/attachments/20090827/41b1188b/attachment.html

End of CCIE_Security Digest, Vol 38, Issue 41
*********************************************

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com