From: Mike Kraus \(mikraus\) (mikraus@cisco.com)
Date: Tue Jul 03 2007 - 21:35:28 ART
I suppose it depends on the IOS version of the 3560's in the lab these
days.
"With Cisco IOS Release 12.2(25)SE and later, the switch maintains the
EAPOL packet history. If an EAPOL packet is detected on the interface
during the lifetime of the link, the switch determines that the device
connected to that interface is an IEEE 802.1x-capable supplicant, and
the interface does not change to the guest VLAN state. EAPOL history is
cleared if the interface link status goes down. If no EAPOL packet is
detected on the interface, the interface changes to the guest VLAN
state.
Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the
EAPOL packet history and allowed clients that failed authentication
access to the guest VLAN, regardless of whether EAPOL packets had been
detected on the interface. You can enable this optional behavior by
using the dot1x guest-vlan supplicant global configuration command.
However, in Cisco IOS Release 12.2(25)SEE, the dot1x guest-vlan
supplicant global configuration command is no longer supported. Use a
restricted VLAN to allow clients that failed authentication access to
the network by entering the dot1x auth-fail vlan vlan-id interface
configuration command."
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg
/sw8021x.htm#wp1176660
So:
Before 12.2(25)SE:
Interface range f1/0/1 - 48
Switchport mode access
Switchport access vlan 100
Dot1x port-control auto
Dot1x guest-vlan 900
802.1x success: VLAN 100
802.1x failure: VLAN 900
No 802.1x: VLAN 900
12.2(25)SE to 12.2(25)SED:
Interface range f1/0/1 - 48
Switchport mode access
Switchport access vlan 100
Dot1x port-control auto
Dot1x guest-vlan 900
802.1x success: VLAN 100
802.1x failure: unauthorized, no access (unless the "dot1x guest-vlan
supplicant" command is used, then VLAN 900).
No 802.1x: VLAN 900
So, in 12.2(25)SEE and later:
Interface range f1/0/1 - 48
Switchport mode access
Switchport access vlan 100
Dot1x port-control auto
Dot1x auth-fail vlan 999
Dot1x guest-vlan 900
802.1x success: VLAN 100
802.1x failure: VLAN 999
No 802.1x: VLAN 900
Of course, you could also assign a VLAN via RADIUS for success, and you
also could have the restricted (auth-fail) and guest VLANs be the same
VLAN if you so desired.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
louis john
Sent: Tuesday, July 03, 2007 6:39 PM
To: Cisco certification
Subject: dot1x guest-vlan supplicant
Folks,
Can you please correct my answer to the following question :
I have IEEE clients connected to my switch port, I am trying to
authenticate them through DOT1X protocol using radius server, I want to
put the unauthenticated clients in the guest vlan 345
My config
aaa new-model
authentication login default none
aaa authentication dot1x default group radius
dot1x system-auth-control
interface range f1/0/1 - 48
switchport mode access
dot1x guest-vlan 345
Now should I have to also mention "dot1x guest-vlan supplicant" in the
global configuration as this is a hidden command in 3750 switches as we
usually do on 3550 switches.
Now I believe that if I put this command, then the Unauthenticated IEEE
capable clients will be moved to guest vlan.
I appreciate your feedback.
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:39 ART