From: Edison Ortiz (edisonmortiz@gmail.com)
Date: Wed May 09 2007 - 10:43:35 ART
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/sw8021x.htm
Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the EAPOL
packet history and allowed clients that failed authentication access to the
guest VLAN, regardless of whether EAPOL packets had been detected on the
interface. You can enable this optional behavior by using the dot1x
guest-vlan supplicant global configuration command. However, in Cisco IOS
Release 12.2(25)SEE, the dot1x guest-vlan supplicant global configuration
command is no longer supported. Use a restricted VLAN to allow clients that
failed authentication access to the network by entering the dot1x auth-fail
vlan vlan-id interface configuration command.
______________________________
Keep in mind, when enabling aaa new-model - you need to disable
authentication for the vty lines and console
port.
----- Original Message -----
From: "Rob McDonald" <robmexpert@gmail.com>
To: <ccielab@groupstudy.com>
Sent: Wednesday, May 09, 2007 4:23 AM
Subject: dot1x & Guest VLAN
> Hello group,
>
> I'm trying to set-up 802.1x based guest vlan authentication using a radius
> server @ 100.100.1.100 and password CCIE. Is this the right way to achieve
> this:
>
>
> aaa new-model
>
> aaa authentication dot1x default group radius
>
>
>
> radius-server host 100.100.1.100
>
> radius-server key CCIE
>
>
>
> dot1x guest-vlan supplicant
>
> dot1x system-auth-control
>
>
>
> interface range fa0/10-13
>
> switchport-mode access
>
> dot1x port-control auto
>
> dot1x guest-vlan 100
>
>
>
>
>
>
>
> Also is it mandatory to use the command "dot1x guest-vlan supplicant"?
>
>
>
> Thanks,
>
> Rob
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:20 ART