From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Sun Oct 05 2008 - 09:03:39 ART
Hey Gaurav,
This is how it goes:
You are right, when you configure the "dot1x guest-vlan 2" interface config,
the switch will place all NON-DOT1x capable devices in the Guest VLAN when
they fail authentication.
The "dot1x auth-fail vlan" command is used to place DOT1x capable devices
into the auth-fail vlan ONLY when they fail authentication - which basically
means that the aaa server has explicitly returned a "radius access-reject"
message to the switch.
The "dot1x guest-vlan supplicant" global config command is used to place
DOT1-x capable devices that for any reason have started exchanging EAPoL or
EAP frames with the switch (hence the docCD says the switch maintains
history of EAPoL exchange between the switch and the client) but never
finish the exchange and therefore have not successfully authenticated with
the switch (and aaa server running behind the scenes). This means that the
exchange has not explicitly ended with a radius access-reject (and hence
cannot be placed in the auth-fail vlan) and this is when the DOT1x capable
device is placed in the Guest vlan.
Its one of those strange cases which can only be observed when you are doing
an EAP method involving the use of certificates and the client has some
missen certificates. The client begins the EAP exchange and suddenly
realises the missen certificates and it then suddenly goes silent and
unresponsive.
Hope that clears up the air a little bit (or I mayb I have successfully
confused you even more ;-)! )
Sadiq
#19963
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:19 ARST