interface F0/1
dot1x mac-auth-bypass
dot1x mac-auth timeout inactivity 150
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode shutdown
In my lab experience using the above configuration, I noticed that if
one device in my example an ip phone was connected to the port and it
authenticated then everything was fine. When I plugged a second ip
phone that did not authenticate properly the port err-disabled and
both devices were dropped due to dot1x violation-mode shutdown as
expected.
When I used dot1x violation-mode restrict, the first device maintained
connectivity and the second device mac was dropped, but my ip phone
which was the first device contined to operate normally.
My example is different than yours. I think your example failed over
to the guest vlan because you have employed the fail action and
no-response actions and they are doing exactly what you asked them to
do.
Blogs and organic groups at http://www.ccie.net
Received on Sun Oct 18 2009 - 02:12:03 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART