06-28-2017 01:16 PM - edited 03-11-2019 12:49 AM
This morning I upgraded my 3650 from 3.6.6 to Everest 16.5.1a for some lab testing. I proceeded to configure an access port and found some authentication commands have been deprecated.
Command deprecated (authentication event fail action next-method) - use cpl config
Command deprecated (authentication order dot1x mab) - use cpl config
Command deprecated (authentication priority dot1x mab) - use cpl config
Command deprecated (authentication violation restrict) - use cpl config
When I ran the 'authentication display config-mode" command, it told me I was in "new-style" mode.
Anyone else ran into this? I just did normal upgrade in install mode. Didn't see anything mentioned in the release notes about it either.
06-28-2017 08:48 PM
Wow that is news to me.
Sounds like they are forcing customers to switch over to the IBNS scheme using the class-maps and policy-maps for 802.1x.
I'd be careful with that in production as it's probably going to be some time before all of the bugs are identified and resolved.
06-30-2017 06:42 AM
I found this in Cisco's "Configuring Identity Control Policies" documents:
Session Aware Networking features are configured in the Cisco common classification policy language (C3PL) display mode. The legacy authentication manager mode is enabled by default. You can use the following procedure to switch to C3PL display mode and temporarily convert any legacy configuration commands to their C3PL equivalents. This allows you to preview your legacy configuration as a Session Aware Networking configuration before making the conversion permanent. After you enter an explicit Session Aware Networking command, the conversion becomes permanent and you can no longer revert to legacy mode.
Particularly the last sentence in my case. I didn't change the display mode directly, it was after I entered the first "authentication host-mode multi-domain" it gave me
"%Command deprecated (authentication host-mode multi-domain ) - use access-session instead"
Unbeknown to me that entering "access-session host-mode multi-domain" would enable "new-style" when I save the config and reloaded the switch.
Looks Like I will be flashing this guy and returning to a 3.6.6 code for now so I can continue labbing dot1x.
Unless anyone knows more about this new-style and cares to chime in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide