Hi The hosts that doesn't send the EAPOL packets are placed in the guest VLANs.
The switch actually maintains an EAPOL packet history based on which it places the host in the guest VLANs. If you want to place authorization failed host in guest vlan then you need to configure *dot1x guest-vlan supplicant.* This command disables the EAPOL history. Even, if the EAPOL packets are detected, the failed clients are allowed to be placed on the guest vlans. With regards Kings On Thu, Aug 27, 2009 at 2:42 AM, Tyson Scott <[email protected]> wrote: > Simon/Paul, > > > > Test it to be sure because it has changed a couple times. Try without the > auth-fail vlan and see if it is put into the guest vlan. It may or may not. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Paul Stewart > *Sent:* Wednesday, August 26, 2009 2:32 PM > *To:* [email protected] > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Verifying 802.1x guest vlan > > > > My understanding is as follows. The guest vlan is used if their is no > 802.1x supplicant on the client (or it is disabled) and therefore no > response to an EAP Polling Beacon. The auth-fail vlan is when the > authentication actually fails. The device failing authentication will have > access to the vlan specified in auth-fail. Your question was without a > auth-fail vlan configured, will the device have access? I think you are > correct in saying it will not. However, I need to double check that > myself. According to the docCD, the default is "There is no auth-fail vlan > configured" which does leave a bit of room for ambiguity. > > > Today's Topics: > > 1. Verifying 802.1x guest vlan. (Simon Baumann) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 26 Aug 2009 17:28:31 +0200 > From: Simon Baumann <[email protected]> > Subject: [OSL | CCIE_Security] Verifying 802.1x guest vlan. > To: [email protected] > Message-ID: <[email protected]> > Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes > > Hi, > I just did a lab using cat3, acs, acs and xp for setting up an 802.1x > environment. Everything works fine, I could assing different vlans > based on the user credentials, DHCP included running on the switch. > Here's the configuration of the port facing to the xp ws. > > cat3#sh run int fa 0/15 > Building configuration... > > Current configuration : 184 bytes > ! > interface FastEthernet0/15 > switchport mode access > dot1x pae authenticator > dot1x port-control auto > dot1x violation-mode protect > dot1x guest-vlan 66 > dot1x auth-fail vlan 66 > end > > cat3# > > I extended it using an auth-fail and guest-vlan. Just for my > understanding: I could use the guest vlan to e. g. sperating guests > from my lan and only allowing them internet access or something like > this. > The auth-fail vlan is used, when the authentication fails. If none is > set, the port has no access. Is this correct? > TIA! > > Cheers > Simon > > > > End of CCIE_Security Digest, Vol 38, Issue 39 > ********************************************* > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
