Trouble with 802.1x : works on WS-C2950T-24 not on WS-C2950T-48-SI

Unanswered Question
Jul 2nd, 2007
User Badges:

Hi,


I configured 802.1x with VLAN assignment on a WS-C2950T-24 with system image file c2950-i6q4l2-mz.121-22.EA1.bin. The RADIUS server is FreeRadius 1.0.1. Everything works well.


I cut&pasted the same 802.1x configuration on a WS-C2950T-48-SI with the same image. I connected the very same supplicant (a Laptop with Windows XP) which was working on the WS-C2950T-24. It doesn't work on the WS-C2950T-48-SI.


I could verify the following :

- the log of the radius are identical in both cases. They end with "Login OK" and an EAP Accept-Packet containing :

Tunnel-Type:0 = VLAN

Tunnel-Medium-Type:0 = IEEE-802

Tunnel-Private-Group-Id:0 = "72"

(72 is the excepted VLAN if 802.1x auth. completes successfully)


- on the WS-C2950T-48-SI, the "show dot1x all" command shows that the port is in the following state :

Dot1x Info for interface FastEthernet0/48

Supplicant MAC 0008.74e2.fbb6

AuthSM State = AUTHENTICATED

BendSM State = IDLE

PortStatus = AUTHORIZED

MaxReq = 2

HostMode = Single

Port Control = Auto


and the "show VLAN" shows that the port remained in VLAN 1.


- moreover, on the WS-C2950T-48-SI, I noticed that the "dot1x guest-vlan" does not exist :

tolstoi(config-if)#dot1x guest-vlan

^

% Invalid input detected at '^' marker.


Is there a difference on how both switches handle 802.1X ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Mon, 07/02/2007 - 04:48
User Badges:
  • Red, 2250 points or more

Hi,

You seems to running a standard image which does not support dot1x,


Please check this link,


http://www.cisco.com/en/US/products/hw/switches/ps628/prod_release_note09186

a008034b29d.html#wp638417


Refer table 7 in the above link.

As per the table only Enchanced Image support 802.1x not standard image.


Hope that helps !


Regards,

~JG


Please rate if helps !

rdirlewanger Wed, 07/04/2007 - 22:51
User Badges:

It seems that the above link doesn't work anymore, even when concatenating the two lines.


Anyway, thanks to your post I could refine my searches on cisco's pages. And you're right :

- the WS-C2950T-24 and the WS-C2950T-48-SI don't run the same image

- dot1x port security is only available on C2950 which run the enhanced image. This is the case for the WS-C2950T-24 not for the WS-C2950T-48-SI

- there's no upgrade capability for the WS-C2950T-48-SI


Jagdeep Gambhir Thu, 07/05/2007 - 05:04
User Badges:
  • Red, 2250 points or more

I'm bit confussed after going through your last post.


You have written "This is the case for the WS-C2950T-24 not for the WS-C2950T-48-SI " i'm not sure what you mean by that ?


This is true that 2950 SI does not support dot1x feature.

This link will tell you that you can have 802.1x authentication on a Cat2950 switch only

if you are running an Enhanced Image.



http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea4/release/notes/OL7188.html#wp37841


Note :On SI image the dot1x commands are not supported but still they are present in the IOS as it is somewhat generic in nature.


Officially dot1x is not supported on 2950 standard image.


Regards,

~JG

Actions

This Discussion