From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Wed Jan 07 2009 - 07:44:21 ARST
Hi,
*dot1x guest-vlan supplicant* is required to be globally configured on the
switch to be able to place supplicants that dont complete authentication on
the port into the Guest VLAN. This means that an EAPoL Start is seen on the
wire from the supplicant but then because of absence of certificate(s) the
supplicant doesnt respond to EAP Request ID frames from the switch. The
situation enters a weird state of silence and this is when that command
enables the switch to place the port into the guest-VLAN after a timeout
period and hence the statement "the switch maintains the EAPOL packet
history".
AFAIK, guest VLAN and authfail VLAN configurations are mutually exclusive.
One doesnt affect the behaviour of the other. Guest VLAN is pertinent to
host without supplicants (with the exception of the case aforementioned) and
authfail VLAN pertains to supplicants that actually fail authentication due
to either expired credentials or any other reason.
BUT, I cant remember off the top of my head right now, an IOS version of the
3550 doesnt support authfail (as you have mentioned). However, I have not
labbed this up to see that the guest VLAN would cater for hosts failing
authentication as well. You might want to check this up.
HTH,
Sadiq
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:36 ARST