that's right. Both ways works fine and under fallback is time savings

Thanks Piotr, without your help I would be running behind of way to get this
working

On Tue, Jul 12, 2011 at 3:45 PM, Piotr Matusiak <[email protected]> wrote:

> As I remember correctly both methods work fine. Attaching an ACL to the
> fallback profile is more elegant and you save your fingers when not
> attaching it to every port :)
>
>
> Regards,
> Piotr
>
>
>
> 2011/7/12 Bruno <[email protected]>
>
>> Damn,
>>
>> I think I was missing ip device tracking for this. That would explain.
>> Thanks Piotr.
>> Well, another question now is what is the good practice.
>> I applied a default acl on the fallback profile allowing only tcp for
>> instance. When I am authenticated, SWs adds the acls downloaded from radius.
>> That's ok and it's working now.
>> But should I apply a default ACL under profile or under the physical port?
>>
>>
>> On Tue, Jul 12, 2011 at 2:23 PM, Piotr Matusiak <[email protected]> wrote:
>>
>>> Have you configured AAA authorization?
>>> aaa authorization auth-proxy default group radius
>>>
>>> Have you enabled IP device tracking?
>>>
>>> Regards,
>>> Piotr
>>>
>>>
>>> 2011/7/12 Bruno <[email protected]>
>>>
>>>> hey guys,
>>>>
>>>> Why does this thing never works for me?
>>>>
>>>> Here's the port after while waiting.
>>>>
>>>> Dot1x Authenticator Client List
>>>> -------------------------------
>>>> Domain                    = DATA
>>>> Supplicant                = 000c.296c.9268
>>>>     Auth SM State         = AUTHENTICATED
>>>>     Auth BEND SM State    = IDLE
>>>> Port Status               = AUTHORIZED
>>>> Authentication Method     = WebAuth
>>>> Authorized By             = Authentication Server
>>>> Vlan Policy               = N/A
>>>>
>>>> when I try to browse anywhere, nothing shows up to login, never showed.
>>>> Config:
>>>> ip admission name DOT proxy http
>>>> dot1x system-auth-control
>>>> fallback profile FALL
>>>>  ip admission DOT
>>>> interface FastEthernet0/15
>>>>  switchport access vlan X
>>>>  switchport mode access
>>>>  dot1x pae authenticator
>>>>  dot1x port-control auto
>>>>  dot1x violation-mode protect
>>>>  dot1x fallback FALL
>>>>  dot1x auth-fail vlan 999
>>>>
>>>> Should it have anything else I missed to get this thing working?
>>>> Please, let me know your thoughts here
>>>>
>>>> --
>>>> Bruno Fagioli (by Jaunty Jackalope)
>>>> Cisco Security Professional
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>> Are you a CCNP or CCIE and looking for a job? Check out
>>>> www.PlatinumPlacement.com
>>>>
>>>
>>>
>>
>>
>> --
>> Bruno Fagioli (by Jaunty Jackalope)
>> Cisco Security Professional
>>
>
>


-- 
Bruno Fagioli (by Jaunty Jackalope)
Cisco Security Professional
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to