Simon/Paul,
Test it to be sure because it has changed a couple times. Try without the auth-fail vlan and see if it is put into the guest vlan. It may or may not. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Wednesday, August 26, 2009 2:32 PM To: [email protected] Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Verifying 802.1x guest vlan My understanding is as follows. The guest vlan is used if their is no 802.1x supplicant on the client (or it is disabled) and therefore no response to an EAP Polling Beacon. The auth-fail vlan is when the authentication actually fails. The device failing authentication will have access to the vlan specified in auth-fail. Your question was without a auth-fail vlan configured, will the device have access? I think you are correct in saying it will not. However, I need to double check that myself. According to the docCD, the default is "There is no auth-fail vlan configured" which does leave a bit of room for ambiguity. Today's Topics: 1. Verifying 802.1x guest vlan. (Simon Baumann) ---------------------------------------------------------------------- Message: 1 Date: Wed, 26 Aug 2009 17:28:31 +0200 From: Simon Baumann <[email protected]> Subject: [OSL | CCIE_Security] Verifying 802.1x guest vlan. To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Hi, I just did a lab using cat3, acs, acs and xp for setting up an 802.1x environment. Everything works fine, I could assing different vlans based on the user credentials, DHCP included running on the switch. Here's the configuration of the port facing to the xp ws. cat3#sh run int fa 0/15 Building configuration... Current configuration : 184 bytes ! interface FastEthernet0/15 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x violation-mode protect dot1x guest-vlan 66 dot1x auth-fail vlan 66 end cat3# I extended it using an auth-fail and guest-vlan. Just for my understanding: I could use the guest vlan to e. g. sperating guests from my lan and only allowing them internet access or something like this. The auth-fail vlan is used, when the authentication fails. If none is set, the port has no access. Is this correct? TIA! Cheers Simon End of CCIE_Security Digest, Vol 38, Issue 39 *********************************************
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
