Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Regarding "authentication violation shutdown" cmd of 12.2(53)SE2

Dear Experts,

I have a question about an authentication violation issue on Cat2960.

HW/SW:

- WS-C2960G-8TC-L

- c2960-lanbasek9-mz.122-53.SE2.bin

Issue:

According to the following document, by default authentication violation shutdown mode is enabled.

Also, if that was configured "shutdown" as a default, the port should be become err-disable when a new device connects to a port.

However, a port does not become "errdisable" even if it was connected to non-allowed device.

It become "errdisable" in "dot1x violation-mode shutdown" of IOS12.2(46)SE.

---------------------------------------------

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst2960/software/release/12.2_53_se/command/reference/cli1.html#wp11888832

Use the authentication violation interface configuration command to configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.

By default authentication violation shutdown mode is enabled.

----------------------------------------------

My question is following.

Why does not it become "errdisable" in 12.2(53)SE2? Is this an expected behavior on 12.2(53)SE2?

To configure an IEEE 802.1x-enabled port as error disabled and to shut down when a new device connects it, do we still need to configure the port?

Below is the configuration.

'authentication violation shutdown' cmd is invisible because of default.

=================================================

aaa new-model

!

!

aaa authentication login default line

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

!

dot1x system-auth-control

errdisable detect cause security-violation shutdown vlan

errdisable recovery cause security-violation

!

interface GigabitEthernet0/1

description 1x Access Port

switchport mode access

switchport nonegotiate

authentication port-control auto

authentication periodic

authentication timer reauthenticate 43200

mab eap

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 1

no cdp enable

spanning-tree portfast

=================================================

If you have any questions regarding the content, please let me know.

Thank you very much for you help!

Regards,

Ilhong.

Everyone's tags (3)
1173
Views
0
Helpful
0
Replies