Trouble with 802.1x : works on WS-C2950T-24 not on WS-C2950T-48-SI

Unanswered Question
Jul 2nd, 2007

Hi,


I configured 802.1x with VLAN assignment on a WS-C2950T-24 with system image file c2950-i6q4l2-mz.121-22.EA1.bin. The RADIUS server is FreeRadius 1.0.1. Everything works well.


I cut&pasted the same 802.1x configuration on a WS-C2950T-48-SI with the same image. I connected the very same supplicant (a Laptop with Windows XP) which was working on the WS-C2950T-24. It doesn't work on the WS-C2950T-48-SI.


I could verify the following :

- the log of the radius are identical in both cases. They end with "Login OK" and an EAP Accept-Packet containing :

Tunnel-Type:0 = VLAN

Tunnel-Medium-Type:0 = IEEE-802

Tunnel-Private-Group-Id:0 = "72"

(72 is the excepted VLAN if 802.1x auth. completes successfully)


- on the WS-C2950T-48-SI, the "show dot1x all" command shows that the port is in the following state :

Dot1x Info for interface FastEthernet0/48

Supplicant MAC 0008.74e2.fbb6

AuthSM State = AUTHENTICATED

BendSM State = IDLE

PortStatus = AUTHORIZED

MaxReq = 2

HostMode = Single

Port Control = Auto


and the "show VLAN" shows that the port remained in VLAN 1.


- moreover, on the WS-C2950T-48-SI, I noticed that the "dot1x guest-vlan" does not exist :

tolstoi(config-if)#dot1x guest-vlan

^

% Invalid input detected at '^' marker.


Is there a difference on how both switches handle 802.1X ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rdirlewanger Wed, 07/04/2007 - 22:51

It seems that the above link doesn't work anymore, even when concatenating the two lines.


Anyway, thanks to your post I could refine my searches on cisco's pages. And you're right :

- the WS-C2950T-24 and the WS-C2950T-48-SI don't run the same image

- dot1x port security is only available on C2950 which run the enhanced image. This is the case for the WS-C2950T-24 not for the WS-C2950T-48-SI

- there's no upgrade capability for the WS-C2950T-48-SI


Jagdeep Gambhir Thu, 07/05/2007 - 05:04

I'm bit confussed after going through your last post.


You have written "This is the case for the WS-C2950T-24 not for the WS-C2950T-48-SI " i'm not sure what you mean by that ?


This is true that 2950 SI does not support dot1x feature.

This link will tell you that you can have 802.1x authentication on a Cat2950 switch only

if you are running an Enhanced Image.



http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea4/release/notes/OL7188.html#wp37841


Note :On SI image the dot1x commands are not supported but still they are present in the IOS as it is somewhat generic in nature.


Officially dot1x is not supported on 2950 standard image.


Regards,

~JG

Actions

This Discussion