As I remember correctly both methods work fine. Attaching an ACL to the fallback profile is more elegant and you save your fingers when not attaching it to every port :)
Regards, Piotr 2011/7/12 Bruno <[email protected]> > Damn, > > I think I was missing ip device tracking for this. That would explain. > Thanks Piotr. > Well, another question now is what is the good practice. > I applied a default acl on the fallback profile allowing only tcp for > instance. When I am authenticated, SWs adds the acls downloaded from radius. > That's ok and it's working now. > But should I apply a default ACL under profile or under the physical port? > > > On Tue, Jul 12, 2011 at 2:23 PM, Piotr Matusiak <[email protected]> wrote: > >> Have you configured AAA authorization? >> aaa authorization auth-proxy default group radius >> >> Have you enabled IP device tracking? >> >> Regards, >> Piotr >> >> >> 2011/7/12 Bruno <[email protected]> >> >>> hey guys, >>> >>> Why does this thing never works for me? >>> >>> Here's the port after while waiting. >>> >>> Dot1x Authenticator Client List >>> ------------------------------- >>> Domain = DATA >>> Supplicant = 000c.296c.9268 >>> Auth SM State = AUTHENTICATED >>> Auth BEND SM State = IDLE >>> Port Status = AUTHORIZED >>> Authentication Method = WebAuth >>> Authorized By = Authentication Server >>> Vlan Policy = N/A >>> >>> when I try to browse anywhere, nothing shows up to login, never showed. >>> Config: >>> ip admission name DOT proxy http >>> dot1x system-auth-control >>> fallback profile FALL >>> ip admission DOT >>> interface FastEthernet0/15 >>> switchport access vlan X >>> switchport mode access >>> dot1x pae authenticator >>> dot1x port-control auto >>> dot1x violation-mode protect >>> dot1x fallback FALL >>> dot1x auth-fail vlan 999 >>> >>> Should it have anything else I missed to get this thing working? >>> Please, let me know your thoughts here >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
