dot1x confusion on conflict between default port state and OCG explanation
So i'm going through the OCG BOSON practice questions and I come across one that asks:
"What happens to traffic originated from the PC if the switch is configured for 802.1x EAPOL and the PC is not?"
I answered:
A. Traffic passes as normal because the port goes into an authorized state.
The listed correct answer is:
D. No traffic passes. The switchport remains in an unauthorzied state
Well that's great except the default 802.1x port state is 'force-authorized' which bypasses authentication and permits all traffic. Even the OCG on the previous page states "If the switch is configured for 802.1x but the PC does not support it, the switch port remains in the unauthorized state so that it will not forward any traffic to the client PC."
What gives? Has anyone run across this before...
"What happens to traffic originated from the PC if the switch is configured for 802.1x EAPOL and the PC is not?"
I answered:
A. Traffic passes as normal because the port goes into an authorized state.
The listed correct answer is:
D. No traffic passes. The switchport remains in an unauthorzied state
Well that's great except the default 802.1x port state is 'force-authorized' which bypasses authentication and permits all traffic. Even the OCG on the previous page states "If the switch is configured for 802.1x but the PC does not support it, the switch port remains in the unauthorized state so that it will not forward any traffic to the client PC."
What gives? Has anyone run across this before...
Cisco was my first networking love, but my "other" router is a Mikrotik...
Comments
-
bermovick Member Posts: 1,135 ■■■■□□□□□□The default state for the switch would be force-unauthorized, if memory serves; but is the switch really configured for 802.1x until it's fully configured (set to auto)?
I think the gist of the question was to ask if 802.1x would allow connections from devices that didn't support 802.1x. At least that's how I understood it when asked.Latest Completed: CISSP
Current goal: Dunno -
vinbuck Member Posts: 785 ■■■■□□□□□□Maybe on a 3560? My 3550 defaults to force-authorized which I verified with a 'show dot1x int Fa0/15' on my test port. Even after turning on aaa new-model and an unreachable radius server, it still is in that state. The OCG and FLG both list force-authorized as the default state. May have to really lab this and see what the result is. THis si bugging me because I walways assume default settings when answering a Cisco question if no other information is given and usually it is a correct assumption.Cisco was my first networking love, but my "other" router is a Mikrotik...
-
NetworkVeteran Member Posts: 2,338 ■■■■■■■■□□According to the Cisco IOS Configuration guide (Configuring 802.1X Port-Based Authentication), the steps to configure 802.1x are--
1) aaa new-model
2) aaa authentication dot1x
3) dot1x port-control auto
Since the question says "if the switch is configured for 802.1x", I'm with bermovick that it's a given that "dot1x port-control auto" (and the other two commands) are configured unless and until evidence is presented to the contrary. Indeed, if someone hired you to configure 802.1x authentication and you left off that command: (1) They could point to the IOS documentation and prove that your configuration is incomplete and (2) You did not solve their authentication problem.
In a similar vein, if we read "OSPF is configured on R1", a configuration devoid of network statements would be unexpected. -
Forsaken_GA Member Posts: 4,024NetworkVeteran wrote: »In a similar vein, if we read "OSPF is configured on R1", a configuration devoid of network statements would be unexpected.
Not at all. I routinely configure OSPF without network statements. A better analogy would be configuring BGP while being devoid of neighbor statements. -
Forsaken_GA Member Posts: 4,024Maybe on a 3560? My 3550 defaults to force-authorized which I verified with a 'show dot1x int Fa0/15' on my test port. Even after turning on aaa new-model and an unreachable radius server, it still is in that state. The OCG and FLG both list force-authorized as the default state. May have to really lab this and see what the result is. THis si bugging me because I walways assume default settings when answering a Cisco question if no other information is given and usually it is a correct assumption.
It's a matter of thinking.
A port being in force-authorized is essentially the same as saying 'dot1x is not configured on this port'. So the default setting is for dot1x to be disabled. Think of it like MPLS - i can enable MPLS globally, but it won't do jack until I go enable it on the interface. So it's reasonable to assume that if a switch is configured for EAPoL, it's processing EAP frames, and that means it's not in the force-authorized state. The only state in which the EAP frames are processed is Auto, which defaults to the port being unauthorized.
For the record, I agree with you, I hate making assumptions. Questions like that assume that you and the author think along the same lines. Those of us who are stuck configuring this crap for real, instead of writing about it, tend to pay attention to the details like default states. -
NetworkVeteran Member Posts: 2,338 ■■■■■■■■□□A better analogy would be configuring BGP while being devoid of neighbor statements.
Hah, true, better analogy. -
vinbuck Member Posts: 785 ■■■■□□□□□□Forsaken_GA wrote: »It's a matter of thinking.
For the record, I agree with you, I hate making assumptions. Questions like that assume that you and the author think along the same lines. Those of us who are stuck configuring this crap for real, instead of writing about it, tend to pay attention to the details like default states.
Yup, I hate having to try and figure out what was in someone's head when answering a question. On the upside though, it does make you a sharper engineer because you have to know all the potential combinations to deploying a technology which is beneficial to just understanding "what works"Cisco was my first networking love, but my "other" router is a Mikrotik... -
vinbuck Member Posts: 785 ■■■■□□□□□□NetworkVeteran wrote: »According to the Cisco IOS Configuration guide (Configuring 802.1X Port-Based Authentication), the steps to configure 802.1x are--
1) aaa new-model
2) aaa authentication dot1x
3) dot1x port-control auto
Since the question says "if the switch is configured for 802.1x", I'm with bermovick that it's a given that "dot1x port-control auto" (and the other two commands) are configured unless and until evidence is presented to the contrary. Indeed, if someone hired you to configure 802.1x authentication and you left off that command: (1) They could point to the IOS documentation and prove that your configuration is incomplete and (2) You did not solve their authentication problem.
In a similar vein, if we read "OSPF is configured on R1", a configuration devoid of network statements would be unexpected.
Put in that context, then I can see the validity of the question....don't really like it , but I see what they are driving at. Thanks for the info.Cisco was my first networking love, but my "other" router is a Mikrotik...