{"id":505,"date":"2020-04-06T20:44:48","date_gmt":"2020-04-06T18:44:48","guid":{"rendered":"http:\/\/tech.sosthe.sk\/?page_id=505"},"modified":"2020-04-06T20:44:48","modified_gmt":"2020-04-06T18:44:48","slug":"12-ieee-802-1xa-pokrocilejsie-funkcie","status":"publish","type":"page","link":"http:\/\/tech.sosthe.sk\/index.php\/ccna\/cisco-ios\/12-ieee-802-1xa-pokrocilejsie-funkcie\/","title":{"rendered":"12. IEEE 802.1xa pokro\u010dilej\u0161ie funkcie"},"content":{"rendered":"

Prira\u010fovanie VLAN<\/span><\/h3>\n

Protokol 802.1x<\/span><\/strong><\/em>\u00a0(v spolupr\u00e1ci s Cisco switchom) n\u00e1m d\u00e1va mo\u017enos\u0165<\/span>\u00a0dynamicky zara\u010fova\u0165 porty do VLAN pod\u013ea autentiza\u010dn\u00fdch \u00fadajov<\/span><\/em>\u00a0.\u00a0Tak\u017ee potom nemus\u00edme konfigurova\u0165 spr\u00e1vnu VLAN pre ka\u017ed\u00fd port (ale napriek tomu je potrebn\u00e9 v\u0161etky porty zaradi\u0165 do nejakej VLANy a dobre to rozmyslie\u0165) a u\u017e\u00edvate\u013e z\u00edska svoju VLAN na r\u00f4znych miestach a po\u010d\u00edta\u010doch.\u00a0To ale v\u0161eobecne funguje len, ke\u010f pou\u017e\u00edvame autentiz\u00e1ciu u\u017e\u00edvate\u013ea a nie po\u010d\u00edta\u010de.<\/span><\/p>\n

Konfigur\u00e1cia v Cisco IOSu<\/span><\/h4>\n

Ak m\u00e1me protokol 802.1x spr\u00e1vne nakonfigurovan\u00fd a chceme prida\u0165 podporu pre prira\u010fovanie VLAN z RADIUS servera, pou\u017eijeme nasleduj\u00faci pr\u00edkaz.\u00a0Ten zariadi, \u017ee sa pre sie\u0165ov\u00e9 slu\u017eby (ako je i priradenie VLANy) bude pou\u017e\u00edva\u0165 RADIUS autoriz\u00e1cia.<\/span><\/p>\n

SWITCH (config) # aaa authorization network default group radius<\/strong><\/span><\/pre>\n
V pr\u00edpade, \u017ee RADIUS server nepo\u0161le VLAN (alebo je 802.1x vypnut\u00e9), tak sa port zarad\u00ed do svojej pr\u00edstupovej VLANy (access VLAN, ktor\u00e1 je nastaven\u00e1 na porte).<\/span><\/p>\n
Pozn .:<\/span><\/em><\/strong>\u00a0Ak by bola zaslan\u00e1 chybn\u00e1 (napr\u00edklad neexistuj\u00face) VLAN, tak ju switch odmietne.<\/span><\/p>\n
Ak potrebujeme rie\u0161i\u0165 probl\u00e9my \u010di chceme sledova\u0165, ako prebieha komunik\u00e1cia, tak m\u00f4\u017eeme pou\u017ei\u0165 pr\u00edkaz\u00a0<\/span>debug<\/code>a logova\u0165 ur\u010dit\u00e9 oper\u00e1cie, napr\u00edklad:<\/span><\/p>\n
SWITCH # debug dot1x events <\/strong>      \/\/ logovanie dot1x udalost\u00ed \r\nSWITCH # show logging <\/strong>            \/\/ zobrazenie logu<\/span><\/pre>\n
Pozn .:<\/span><\/em><\/strong>\u00a0Dot1x sa ned\u00e1 pou\u017ei\u0165 na trunk porty a dynamick\u00e9 porty.<\/span><\/p>\n
Konfigur\u00e1cia na MS IAS (RADIUS) servera<\/span><\/h4>\n
Op\u00e4\u0165 vych\u00e1dzam z toho, \u017ee u\u017e m\u00e1me nakonfigurovan\u00e9 overovanie pou\u017e\u00edvate\u013eov.\u00a0Aby sme odoslali VLAN, tak mus\u00edme len prida\u0165 tri\u00a0<\/span>Vendor-specific atrib\u00faty<\/span><\/em><\/strong>\u00a0.\u00a0To urob\u00edme v na\u0161ej\u00a0<\/span>Remote Access Policy<\/span><\/em><\/strong>\u00a0na z\u00e1lo\u017eke Advanced.<\/span><\/p>\n
\"\"<\/p>\n
Ide o nasledovn\u00e9 atrib\u00faty:<\/span><\/p>\n
    \n
  • [64] Tunnel-Type = VLAN (type 13)<\/span><\/li>\n
  • [65] Tunnel-Medium-Type = 802 (type 6)<\/span><\/li>\n
  • [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID<\/span><\/li>\n<\/ul>\n
    Vy\u0161\u0161ie uveden\u00fd postup zariadi, \u017ee v\u0161etci u\u017e\u00edvatelia \/ stanice (na ktor\u00e9 sa uplatn\u00ed t\u00e1to Remote Access Policy) bud\u00fa zaraden\u00ed do nastavenej VLANy.\u00a0To nie je pr\u00edli\u0161 dynamick\u00e9, preto\u017ee v praxi chceme zara\u010fova\u0165 r\u00f4znych pou\u017e\u00edvate\u013eov do r\u00f4znych VLAN.\u00a0Jedno z mo\u017en\u00fdch rie\u0161en\u00ed je nasledovn\u00e9.<\/span><\/p>\n
    Najprv potrebujeme ma\u0165 v\u00a0\u00a0<\/span>Active Directory<\/span><\/strong><\/em>\u00a0vytvoren\u00e9 skupiny pre ka\u017ed\u00fa VLAN a v nich zaraden\u00e9 patri\u010dnej u\u017e\u00edvate\u013ea.\u00a0Napr\u00edklad ke\u010f m\u00e1me VLANy pod\u013ea oddelen\u00ed, tak skupinu pre oddelenie.<\/span><\/p>\n
    Na RADIUS servera potom mus\u00edme vytvori\u0165\u00a0<\/span>Remote Access Policy<\/span><\/em><\/strong>\u00a0pre ka\u017ed\u00fa VLAN.\u00a0V\u00e4\u010d\u0161ina parametrov bude (asi) rovnak\u00e1.\u00a0Upravi\u0165 mus\u00edme podmienky (conditions), pod\u013ea ktor\u00fdch sa prira\u010fuje politika k po\u017eiadavke.\u00a0Tam nastav\u00edme podmienku na Windows-Groups a zad\u00e1me skupinu alebo skupiny z Active Directory, pre ktor\u00e9 sa nastav\u00ed jedna VLAN.\u00a0Potom nastav\u00edme \u010d\u00edslo VLANy na Advanced z\u00e1lo\u017eke politiky (ako bolo uveden\u00e9 vy\u0161\u0161ie).<\/span><\/p>\n
    \"\"<\/p>\n
    Politiky sa testuj\u00fa v porad\u00ed zhora (\u010d\u00edslo 1) dole a vo chv\u00edli, ke\u010f d\u00f4jde k zhode, tak sa politika uplat\u0148uje.\u00a0<\/span>Tak\u017ee m\u00f4\u017eeme nastavi\u0165 nieko\u013eko polit\u00edk pre r\u00f4zne \u0161peci\u00e1lne skupiny a na koniec umiestni\u0165 v\u0161eobecn\u00fa politiku, ktor\u00e1 nastav\u00ed VLAN v\u0161etk\u00fdm ostatn\u00fdm.<\/span><\/p>\n
    \"\"<\/p>\n
    Probl\u00e9m s neobnoven\u00edm adresy na klientovi<\/span><\/h4>\n
    Ob\u010das m\u00f4\u017ee d\u00f4js\u0165 k tomu, \u017ee sa klient zarad\u00ed do spr\u00e1vnej VLANy, ale\u00a0<\/span>nedostane adresu od DHCP servera<\/span><\/strong><\/em>\u00a0.\u00a0Tento probl\u00e9m sa net\u00fdka len tejto kapitoly, \u010dastej\u0161ie sa vyskytuje napr\u00edklad u zara\u010fovanie do Hostovsk\u00fd VLANy.\u00a0Je to sp\u00f4soben\u00e9 r\u00f4znymi timeoutu.\u00a0Ke\u010f sa klient za\u010dne prip\u00e1ja\u0165 do siete, tak po\u0161le DHCP po\u017eiadavku a z\u00e1rove\u0148 za\u010dne proces autentiz\u00e1cie.\u00a0Ak autentiz\u00e1cia trv\u00e1 dlh\u0161ie, ne\u017e vypr\u0161\u00ed timeout na DHCP, tak klient nedostane spr\u00e1vnu adresu.\u00a0V pr\u00edpade\u00a0<\/span>Windows XP SP1<\/span><\/strong><\/em>\u00a0by mal klient po kr\u00e1tkej dobe vykona\u0165 znova vyjednanie adresy.<\/span><\/p>\n
    Ak klient nedostane adresu, tak v\u00e4\u010d\u0161inou pom\u00f4\u017ee vykonanie pr\u00edkazov na z\u00edskanie adresy.\u00a0To je, ale asi len pre testovanie, ostr\u00fa prev\u00e1dzku by sme mali vyladi\u0165, aby fungoval.<\/span><\/p>\n
    ipconfig \/ release <\/strong>\r\nipconfig \/ renew<\/strong><\/span><\/pre>\n
    Podrobnej\u0161ie nastavenie dot1x<\/span><\/h3>\n
    Automatick\u00e1 re-autentiz\u00e1cie<\/span><\/h4>\n
    \u0160tandardne je t\u00e1to funkcia vypnut\u00e1, ale m\u00f4\u017eeme ju zapn\u00fa\u0165 a potom switch po ur\u010ditej dobe realizuje nov\u00fa\u00a0<\/span>autentiz\u00e1ciu klienta<\/span><\/strong><\/em>\u00a0.\u00a0Je rad situ\u00e1ci\u00ed, kedy je t\u00e1to funkcia vhodn\u00e1, napr\u00edklad ke\u010f sa najprv over\u00ed po\u010d\u00edta\u010d, tak po prihl\u00e1sen\u00ed u\u017e\u00edvate\u013ea sa vykon\u00e1 reauntetizace.\u00a0Na druh\u00fa stranu sa potom reautentizace vykon\u00e1va st\u00e1le, \u010do u\u017e nemus\u00ed by\u0165 dobr\u00e9.<\/span><\/p>\n
    \u0160tandardn\u00e9 \u010das pre reautentizaci je 3600 s.<\/span><\/p>\n
    SWITCH (config-if) # dot1x timeout reauth-period 4000 <\/strong>  \/\/ nastavenie \u010dasu reautentizace na 4000 s \r\nSWITCH (config-if) # dot1x reauthentication <\/strong>            \/\/ zapnutie reautentizace na porte<\/span><\/pre>\n
    Reautentizaci m\u00f4\u017eeme vyvola\u0165 aj ru\u010dne na switchi<\/span><\/p>\n
    SWITCH # dot1x re-authenticate interface gigabitethernet0 \/ 1<\/strong><\/span><\/pre>\n
    Reset dot1x konfigur\u00e1cia portu<\/span><\/h4>\n
    Ak chceme resetova\u0165 dot1x nastavenie portu na predvolen\u00e9 hodnoty, m\u00f4\u017eeme pou\u017ei\u0165 pr\u00edkaz:<\/span><\/p>\n
    SWITCH (config-if) # dot1x default<\/strong><\/span><\/pre>\n
    Pozn .:<\/span><\/em><\/strong>\u00a0T\u00fdmto sa aj vypne dot1x na porte, ale nezma\u017ee sa nastavenie<\/span>\u00a0guest<\/span><\/em>\u00a0a<\/span>\u00a0restricted VLAN<\/span><\/em>\u00a0.<\/span><\/p>\n
    Host mode<\/span><\/h4>\n
    Port, kde je zapnut\u00e9 dot1x, m\u00f4\u017ee pracova\u0165 v jednom z dvoch m\u00f3dov:<\/span><\/p>\n
      \n
    • Single hos\u0165<\/span><\/em><\/strong>\u00a0– iba jeden klient m\u00f4\u017ee by\u0165 pripojen\u00fd k portu.<\/span><\/li>\n
    • Multiple hos\u0165<\/span><\/em><\/strong>\u00a0– viac klientov m\u00f4\u017ee by\u0165 pripojen\u00e9 k jedn\u00e9mu portu.\u00a0V tomto pr\u00edpade sa autentiz\u00e1ciou prv\u00e9ho klienta over\u00ed cel\u00fd port a ostatn\u00ed m\u00f4\u017eu pristupova\u0165.<\/span><\/li>\n<\/ul>\n
      Defaultne je m\u00f3d single hos\u0165, ak chceme nastavi\u0165 multiple<\/span><\/p>\n
      SWITCH (config-if) # dot1x hos\u0165-mode multi-host<\/strong><\/span><\/pre>\n
      R\u00f4zne timeouty<\/span><\/h4>\n
      Ak switch nem\u00f4\u017ee autentizova\u0165 klienta (napr\u00edklad chyba v komunik\u00e1cii, ale aj ke\u010f klient zad\u00e1 zl\u00e9 heslo), \u010dak\u00e1 zadan\u00fa dobu (\u0161tandardne 60 s) a potom to sk\u00fasi znova.\u00a0\u010casto sa hod\u00ed tento \u010das skr\u00e1ti\u0165.<\/span><\/p>\n
      SWITCH (config-if) # dot1x timeout quiet-period 10<\/strong><\/span><\/pre>\n
      Switch odosiela po\u017eiadavku na autentiza\u010dn\u00fd \u00fadaje (EAP-request \/ identity r\u00e1mec) a n\u00e1sledne \u010dak\u00e1 ur\u010dit\u00fd \u010das (\u0161tandardne 30 s) na odpove\u010f, ak ju nedostane, tak znovu odo\u0161le r\u00e1mec s ot\u00e1zkou.\u00a0V ur\u010dit\u00fdch \u0161peci\u00e1lnych pr\u00edpadoch m\u00f4\u017eeme tento interval (Switch-to-Client Retransmission Time) zmeni\u0165.<\/span><\/p>\n
      SWITCH (config-if) # dot1x timeout tx-period 15<\/strong><\/span><\/pre>\n
      K tomu sa via\u017ee aj hodnota (Switch-to-Client Frame-Retransmission Number), ko\u013ekokr\u00e1t (\u0161tandardne 2kr\u00e1t) switch odo\u0161le dotaz pri nedostane odpove\u010f.<\/span><\/p>\n
      SWITCH (config-if) # dot1x max-req 5<\/strong><\/span><\/pre>\n
      V pr\u00edpade, \u017ee pou\u017e\u00edvame\u00a0<\/span>Guest VLAN<\/span><\/em>\u00a0a v tejto sieti DHCP, tak m\u00f4\u017ee d\u00f4js\u0165 k tomu, \u017ee autentiza\u010dn\u00fd proces a zaradenie do Guest VLANy trv\u00e1 dlh\u0161ie, ne\u017e vypr\u0161\u00ed timeout pre z\u00edskanie adresy z DHCP, preto sa v tomto pr\u00edpade odpor\u00fa\u010da prekonfigurova\u0165 hodnoty quiet-period a tx-period.\u00a0Presn\u00e1 hodnota z\u00e1le\u017e\u00ed na type klienta, ale napr\u00edklad:<\/span><\/p>\n
      SWITCH (config-if) # dot1x timeout quiet-period 3<\/strong> \r\nSWITCH (config-if) # dot1x timeout tx-period 15<\/strong><\/span><\/pre>\n
      Accounting – \u00fa\u010dtovanie<\/span><\/h3>\n
      Protokol\u00a0<\/span>802.1x<\/span><\/strong>\u00a0sa star\u00e1 o\u00a0<\/span>autentiz\u00e1ciu<\/span><\/em><\/strong>\u00a0(authentication – potvrdenie, \u017ee u\u017e\u00edvate\u013e je ten za koho sa vyd\u00e1va) a\u00a0<\/span>autoriz\u00e1ciu<\/span><\/em><\/strong>\u00a0(authorization – riadenie pr\u00edstupu do zdroja; tu je to napr\u00edklad zaradenie do VLANy).\u00a0Funkcia m\u00f4\u017eeme doplni\u0165 o\u00a0<\/span>\u00fa\u010dtovan\u00ed<\/span><\/em><\/strong>\u00a0(accounting – inak povedan\u00e9 logovanie \u00fadajov), ktor\u00e9 n\u00e1m uchov\u00e1va inform\u00e1cie o:<\/span><\/p>\n
        \n
      • autentiz\u00e1ciu u\u017e\u00edvate\u013ea<\/span><\/li>\n
      • odlogov\u00e1n\u00ed<\/span><\/li>\n
      • link-down<\/span><\/li>\n
      • re-autentiz\u00e1ciu<\/span><\/li>\n<\/ul>\n
        Microsoft IAS<\/span><\/em><\/strong>\u00a0n\u00e1m automaticky (ak povol\u00edme v nastaven\u00ed) uklad\u00e1 do logu inform\u00e1cie pri autentiz\u00e1cii u\u017e\u00edvate\u013ea.\u00a0Pre<\/span>\u00a0accounting<\/span><\/em>\u00a0sa pou\u017e\u00edva in\u00fd port (\u0161tandardne 1646 alebo 1813) ako pre<\/span>\u00a0autentiz\u00e1ciu a autoriz\u00e1ciu<\/span><\/em>\u00a0(\u0161tandardne 1645 \u010di 1812).\u00a0Inform\u00e1cie o<\/span>\u00a0Accounting<\/span><\/em>\u00a0sa zasielaj\u00fa na RADIUS server pomocou p\u00e1rov<\/span>\u00a0atrib\u00fat<\/span><\/em><\/strong>\u00a0a<\/span>\u00a0hodnota<\/span><\/em><\/strong>\u00a0.<\/span><\/p>\n
        Na switchi m\u00f4\u017eeme pou\u017ei\u0165 in\u00fd z\u00e1pis pre definovanie r\u00e1diusom, kde ur\u010d\u00edme porty pre jednotliv\u00e9 slu\u017eby (inak sa pou\u017eij\u00fa defaultn\u00fd).<\/span><\/p>\n
        SWITCH (config) # radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key 123456<\/strong><\/span><\/pre>\n
        Pre zasielanie accounting inform\u00e1ci\u00ed okolo dot1x na RADIUS pou\u017eijeme:<\/span><\/p>\n
        SWITCH (config) # aaa accounting dot1x default start-stop group radius<\/strong><\/span><\/pre>\n
        Pozn .:<\/span><\/em><\/strong>\u00a0default je pre predvolen\u00fd zoznam (a be\u017en\u00e9 situ\u00e1cie), group r\u00e1dius znamen\u00e1, \u017ee sa inform\u00e1cie bud\u00fa zasiela\u0165 na v\u0161etky definovan\u00e9 r\u00e1diusov.<\/span><\/p>\n
        Accounting m\u00f4\u017eeme pou\u017ei\u0165 pre rad \u00fadajov, ktor\u00e9 chceme sledova\u0165 a uklada\u0165, tak\u017ee p\u00e1r pr\u00edkladov z in\u00fdch oblast\u00ed.<\/span><\/p>\n
        Zasielanie inform\u00e1ci\u00ed o re\u0161tarte switche<\/span><\/p>\n
        SWITCH (config) # aaa accounting system default start-stop group radius<\/strong><\/span><\/pre>\n
        Zasielanie inform\u00e1ci\u00ed o prihl\u00e1sen\u00ed u\u017e\u00edvate\u013ea ku switchu (do exec modu)<\/span><\/p>\n
        SWITCH (config) # aaa accounting exec default start-stop group radius<\/strong><\/span><\/pre>\n
        Zasielanie inform\u00e1ci\u00ed o pou\u017eit\u00ed pr\u00edkazov levelu 15<\/span><\/p>\n
        SWITCH (config) # aaa accounting commands 15 default start-stop group radius<\/strong><\/span><\/pre>\n
        Restricted VLAN<\/span><\/h3>\n
        \u010casto m\u00f4\u017eeme chcie\u0165, aby u\u017e\u00edvate\u013e \/ po\u010d\u00edta\u010d, ktor\u00fd\u00a0<\/span>neprejde autentiz\u00e1ciou<\/span><\/strong><\/em>\u00a0(napr\u00edklad preto, \u017ee u n\u00e1s nem\u00e1 \u00fa\u010det), bol napriek tomu vpusten\u00fd do nejakej \u010dasti siete.\u00a0\u0160tandardne sa port prepne do\u00a0<\/span>neautorizovan\u00e9ho stavu<\/span><\/em>\u00a0a blokuje komunik\u00e1ciu.\u00a0Be\u017en\u00fdm pr\u00edkladom je, ke\u010f pr\u00edde nejak\u00e1 n\u00e1v\u0161teva a potrebuje sa dosta\u0165 na internet.\u00a0My m\u00e1me vytvoren\u00fa\u00a0<\/span>VLAN pre host\u00ed<\/span><\/strong><\/em>\u00a0a do nej ich chceme automaticky zaradi\u0165.\u00a0Ak ich OS podporuje\u00a0<\/span>protokol 802.1x<\/span><\/em>\u00a0, tak sa po pripojen\u00ed bude p\u00fdta\u0165 na autentiz\u00e1ciu (ak nemaj\u00fa nastaven\u00e9 automatick\u00e9 vyplnenie).\u00a0A ak m\u00e1me nenastavili\u00a0<\/span>restricted VLAN,<\/span><\/strong><\/em>\u00a0tak sa pri zadan\u00ed zl\u00fdch \u00fadajov (neovereniu klienta) prepne port do tejto VLANy.<\/span><\/p>\n
        SWITCH (config-if) # dot1x auth-fail vlan 40 <\/strong>            \/\/ restricted VLAN je 40 \r\nSWITCH (config-if) # dot1x auth-fail max-attempts 1 <\/strong>     \/\/ po\u010det pokusov o autentiz\u00e1ciu (1 a\u017e 3)<\/span><\/pre>\n
        Pozn .:<\/span><\/em><\/strong>\u00a0Pre restricted VLAN mus\u00ed by\u0165 port v single-host modu.<\/span><\/p>\n
        S\u00a0\u00a0<\/span>restricted VLAN<\/span><\/strong><\/em>\u00a0rovnako ako\u00a0<\/span>guest VLAN<\/span><\/strong><\/em>\u00a0m\u00f4\u017eeme narazi\u0165 na nejak\u00e9 probl\u00e9my.\u00a0\u010casto pom\u00f4\u017ee\u00a0<\/span>zn\u00ed\u017eenie timeoutov<\/span><\/strong><\/em>\u00a0, ako je uveden\u00e9 vy\u0161\u0161ie.\u00a0Tie\u017e sa vyskytuje probl\u00e9m s\u00a0\u00a0<\/span>pridelen\u00edm adresy<\/span><\/strong><\/em>\u00a0z DHCP, ktor\u00fd je tie\u017e pop\u00edsan\u00fd vy\u0161\u0161ie.<\/span><\/p>\n
        guest VLAN<\/span><\/h3>\n
        Podobn\u00e1 situ\u00e1cia ako\u00a0<\/span>restricted VLAN<\/span><\/em>\u00a0je\u00a0<\/span>guest VLAN<\/span><\/strong><\/em>\u00a0.\u00a0T\u00fa vyu\u017eijeme pre klientov, ktor\u00ed\u00a0<\/span>nepodporuj\u00fa 802.1x<\/span><\/strong><\/em>\u00a0(napr\u00edklad, aby si stiahli klienta pre dot1x).\u00a0Do\u00a0<\/span>guest VLANy<\/span><\/em>\u00a0klient zaraden\u00fd, ak nepodporuje protokol 802.1x (neodo\u0161le EAPOL paket ani neodpovie na EAP-request).<\/span><\/p>\n
        SWITCH (config-if) # dot1x guest-vlan 20<\/strong><\/span><\/pre>\n
        V star\u0161\u00edch verzi\u00e1ch IOSu do verzie 12.2 (25) SEE sa pou\u017e\u00edvalo upraven\u00e9 spr\u00e1vanie guest VLANy, ktor\u00e9 bolo v d\u00f4sledku podobnej restricted VLAN.\u00a0Najprv bolo treba pre cel\u00fd switch prepn\u00fa\u0165 spr\u00e1vanie.<\/span><\/p>\n
        SWITCH (config) # dot1x guest-vlan supplicant<\/strong><\/span><\/pre>\n
        A n\u00e1sledne sa norm\u00e1lne konfigurovala guest VLAN pre porty a uplatnila sa na neoveren\u00e9 klientov.<\/span><\/p>\n
        SWITCH (config-if) # dot1x guest-vlan 5<\/strong><\/span><\/pre>\n
        Kontrola a debug<\/span><\/h3>\n
        Inform\u00e1cie o 802.1x<\/span><\/h4>\n
        SWITCH # show dot1x interface f0 \/ 1        <\/strong>\/\/ inform\u00e1cie o 802.1x konfigur\u00e1cii na porte \r\nSWITCH # show dot1x all                   <\/strong>\/\/ inform\u00e1cie o 802.1x zo v\u0161etk\u00fdch portov, kde je zapnut\u00e9 \r\nSWITCH # show dot1x all details           <\/strong>\/\/ kompletn\u00e9 inform\u00e1cie o v\u0161etk\u00fdch 802.1x portoch \r\nSWITCH # show dot1x all statistics        <\/strong>\/\/ \u0161tatistiky o pou\u017eit\u00ed 802.1x na porte \r\nSWITCH # show dot1x all summary           <\/strong>\/\/ stru\u010dn\u00e9 inform\u00e1cie o stave dot1x portov<\/span><\/pre>\n
        Debugging 802.1x<\/span><\/h4>\n
        U nasadzovanie 802.1x asi jednoducho naraz\u00edme na r\u00f4zne probl\u00e9my a potrebujeme vidie\u0165, \u010do sa na switchi deje.\u00a0Preto je najlep\u0161ie pou\u017ei\u0165 debugovania dan\u00fdch inform\u00e1ci\u00ed.<\/span><\/p>\n
        SWITCH # debug dot1x events <\/strong>              \/\/ logovanie dot1x udalost\u00ed \r\nSWITCH # debug dot1x all <\/strong>                 \/\/ logovanie v\u0161etk\u00e9ho okolo dot1x \r\nSWITCH # show debugging <\/strong>                  \/\/ zobraz\u00ed na \u010do je nastaven\u00fd debug \r\nSWITCH # undebug dot1x all <\/strong>               \/\/ zru\u0161\u00ed debug v\u0161etk\u00e9ho okolo 802.1x \r\nSWITCH # show logging <\/strong>                    \/\/ zobraz\u00ed log<\/span><\/pre>\n
        Inform\u00e1cie o AAA a RADIUS<\/span><\/h4>\n
        SWITCH # show radius statistics <\/strong>        \/\/ \u0161tatistiky z r\u00e1dius \r\nSWITCH # show aaa servers          <\/strong>      \/\/ \u0161tatistiky z AAA a napojenia na RADIUS \r\nSWITCH # show aaa method-lists all <\/strong>     \/\/ zoznam met\u00f3d a ktor\u00e9 s\u00fa pou\u017eit\u00e9 \r\nSWITCH # debug radius accounting <\/strong>        \/\/ logovanie accounting inform\u00e1ci\u00ed posielan\u00fdch na radius<\/span><\/pre>\n","protected":false},"excerpt":{"rendered":"
        Prira\u010fovanie VLAN Protokol 802.1x\u00a0(v spolupr\u00e1ci s Cisco switchom) n\u00e1m d\u00e1va mo\u017enos\u0165\u00a0dynamicky zara\u010fova\u0165 porty do VLAN pod\u013ea autentiza\u010dn\u00fdch \u00fadajov\u00a0.\u00a0Tak\u017ee potom nemus\u00edme konfigurova\u0165 spr\u00e1vnu VLAN pre ka\u017ed\u00fd…<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":431,"menu_order":2,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/505"}],"collection":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/comments?post=505"}],"version-history":[{"count":1,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/505\/revisions"}],"predecessor-version":[{"id":509,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/505\/revisions\/509"}],"up":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/431"}],"wp:attachment":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/media?parent=505"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}