As I remember correctly both methods work fine. Attaching an ACL to the
fallback profile is more elegant and you save your fingers when not
attaching it to every port :)

Regards,
Piotr



2011/7/12 Bruno <[email protected]>

> Damn,
>
> I think I was missing ip device tracking for this. That would explain.
> Thanks Piotr.
> Well, another question now is what is the good practice.
> I applied a default acl on the fallback profile allowing only tcp for
> instance. When I am authenticated, SWs adds the acls downloaded from radius.
> That's ok and it's working now.
> But should I apply a default ACL under profile or under the physical port?
>
>
> On Tue, Jul 12, 2011 at 2:23 PM, Piotr Matusiak <[email protected]> wrote:
>
>> Have you configured AAA authorization?
>> aaa authorization auth-proxy default group radius
>>
>> Have you enabled IP device tracking?
>>
>> Regards,
>> Piotr
>>
>>
>> 2011/7/12 Bruno <[email protected]>
>>
>>> hey guys,
>>>
>>> Why does this thing never works for me?
>>>
>>> Here's the port after while waiting.
>>>
>>> Dot1x Authenticator Client List
>>> -------------------------------
>>> Domain                    = DATA
>>> Supplicant                = 000c.296c.9268
>>>     Auth SM State         = AUTHENTICATED
>>>     Auth BEND SM State    = IDLE
>>> Port Status               = AUTHORIZED
>>> Authentication Method     = WebAuth
>>> Authorized By             = Authentication Server
>>> Vlan Policy               = N/A
>>>
>>> when I try to browse anywhere, nothing shows up to login, never showed.
>>> Config:
>>> ip admission name DOT proxy http
>>> dot1x system-auth-control
>>> fallback profile FALL
>>>  ip admission DOT
>>> interface FastEthernet0/15
>>>  switchport access vlan X
>>>  switchport mode access
>>>  dot1x pae authenticator
>>>  dot1x port-control auto
>>>  dot1x violation-mode protect
>>>  dot1x fallback FALL
>>>  dot1x auth-fail vlan 999
>>>
>>> Should it have anything else I missed to get this thing working?
>>> Please, let me know your thoughts here
>>>
>>> --
>>> Bruno Fagioli (by Jaunty Jackalope)
>>> Cisco Security Professional
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit www.ipexpert.com
>>>
>>> Are you a CCNP or CCIE and looking for a job? Check out
>>> www.PlatinumPlacement.com
>>>
>>
>>
>
>
> --
> Bruno Fagioli (by Jaunty Jackalope)
> Cisco Security Professional
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to