we want to use standalone mac authentication bypass (with freeradius).
Yesterday we tested it with a catalyst 3750 IOS 12.2(35) and it was working fine! The config on an interface looked like that:
(config-if)switchport mode access
(config-if)authentication port-control auto
Today we tried to do the same with a catalyst 2960 IOS 12.2(44). I want to configure the interface like on the 3750, but I can't.
Everytime I write the command "dot1x mac-auth-bypass" (I think this is the correspondent command to "mab") the switch automatically configures "dot1x pae authenticator" and "dot1x violation-mode protect" on the interface. So it looks like that:
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode restrict
If I configure "no dot1x violation-mode protect" the switch accepts the command, but it don't removes the entry from the interface.
If I configure "no dot1x pae authenticator" the switch removes the whole config from the interface except "switchport mode access" and "spanning-tree...".
I don't understand what the problem is?! Is it not possible to use mac authentication bypass without dot1x (-> pae command) and violation-mode in this IOS version???
The violation-mode avoids the contact to the radius server. :-(
that seems to be a code specific issue because I was just checking the command refernce guide and it didn't specify that we needed those two commmands with MAB. Otherwise it should have been specified In the usage guide lines under command refrence guide.
1. Does somebody know if you can use standalone MAB with dot1x guest vlan?
I tried it and the guest vlan was not set. Is it required to configure dot1x with the shortest timeout, so that MAB is starting fast and if it fails, there is the guest vlan.
2. In the config guide there is a sample configuration for standalone MAB. I'm wondering why they configure "switchport access vlan 40"??? In what situation does this takes affect? Is it like the guest vlan? So, if mab fails, the port is configured with vlan 40???
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :