No problem mate! Keep studying!
2011/7/12 Bruno <[email protected]> > that's right. Both ways works fine and under fallback is time savings > > Thanks Piotr, without your help I would be running behind of way to get > this working > > > On Tue, Jul 12, 2011 at 3:45 PM, Piotr Matusiak <[email protected]> wrote: > >> As I remember correctly both methods work fine. Attaching an ACL to the >> fallback profile is more elegant and you save your fingers when not >> attaching it to every port :) >> >> >> Regards, >> Piotr >> >> >> >> 2011/7/12 Bruno <[email protected]> >> >>> Damn, >>> >>> I think I was missing ip device tracking for this. That would explain. >>> Thanks Piotr. >>> Well, another question now is what is the good practice. >>> I applied a default acl on the fallback profile allowing only tcp for >>> instance. When I am authenticated, SWs adds the acls downloaded from radius. >>> That's ok and it's working now. >>> But should I apply a default ACL under profile or under the physical >>> port? >>> >>> >>> On Tue, Jul 12, 2011 at 2:23 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> Have you configured AAA authorization? >>>> aaa authorization auth-proxy default group radius >>>> >>>> Have you enabled IP device tracking? >>>> >>>> Regards, >>>> Piotr >>>> >>>> >>>> 2011/7/12 Bruno <[email protected]> >>>> >>>>> hey guys, >>>>> >>>>> Why does this thing never works for me? >>>>> >>>>> Here's the port after while waiting. >>>>> >>>>> Dot1x Authenticator Client List >>>>> ------------------------------- >>>>> Domain = DATA >>>>> Supplicant = 000c.296c.9268 >>>>> Auth SM State = AUTHENTICATED >>>>> Auth BEND SM State = IDLE >>>>> Port Status = AUTHORIZED >>>>> Authentication Method = WebAuth >>>>> Authorized By = Authentication Server >>>>> Vlan Policy = N/A >>>>> >>>>> when I try to browse anywhere, nothing shows up to login, never showed. >>>>> Config: >>>>> ip admission name DOT proxy http >>>>> dot1x system-auth-control >>>>> fallback profile FALL >>>>> ip admission DOT >>>>> interface FastEthernet0/15 >>>>> switchport access vlan X >>>>> switchport mode access >>>>> dot1x pae authenticator >>>>> dot1x port-control auto >>>>> dot1x violation-mode protect >>>>> dot1x fallback FALL >>>>> dot1x auth-fail vlan 999 >>>>> >>>>> Should it have anything else I missed to get this thing working? >>>>> Please, let me know your thoughts here >>>>> >>>>> -- >>>>> Bruno Fagioli (by Jaunty Jackalope) >>>>> Cisco Security Professional >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>> >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
