Just wanted to add another point. Let's say there 4 hosts connected to the switch port and guest vlan is configured. Out of 4 hosts, if one hosts is 802.1x capable and sends the EAPOL packet, the port is moved to un-authorized state and the authentication process is started.
The guest vlan is enabled only till no EAPOL packets are heard from any of the hosts. With *dot1x guest-vlan supplicant, *the guest vlan is still enabled for failed clients irresepective of whether EAPOL is heard or not. I hope, my understanding is correct. If I am wrong, please correct me. With regards Kings On Thu, Aug 27, 2009 at 2:28 PM, Kingsley Charles < [email protected]> wrote: > Hi > > The hosts that doesn't send the EAPOL packets are placed in the guest > VLANs. > > The switch actually maintains an EAPOL packet history based on which it > places the host in the guest VLANs. If you want to place authorization > failed host in guest vlan then you need to configure *dot1x guest-vlan > supplicant.* This command disables the EAPOL history. Even, if the EAPOL > packets are detected, the failed clients are allowed to be placed on the > guest vlans. > > With regards > Kings > > > > > > > > > On Thu, Aug 27, 2009 at 2:42 AM, Tyson Scott <[email protected]>wrote: > >> Simon/Paul, >> >> >> >> Test it to be sure because it has changed a couple times. Try without the >> auth-fail vlan and see if it is put into the guest vlan. It may or may not. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S and Security >> >> Technical Instructor - IPexpert, Inc. >> >> >> Telephone: +1.810.326.1444 >> Cell: +1.248.504.7309 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> >> >> >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> Storage Lab Certifications. >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Paul Stewart >> *Sent:* Wednesday, August 26, 2009 2:32 PM >> *To:* [email protected] >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] Verifying 802.1x guest vlan >> >> >> >> My understanding is as follows. The guest vlan is used if their is no >> 802.1x supplicant on the client (or it is disabled) and therefore no >> response to an EAP Polling Beacon. The auth-fail vlan is when the >> authentication actually fails. The device failing authentication will have >> access to the vlan specified in auth-fail. Your question was without a >> auth-fail vlan configured, will the device have access? I think you are >> correct in saying it will not. However, I need to double check that >> myself. According to the docCD, the default is "There is no auth-fail vlan >> configured" which does leave a bit of room for ambiguity. >> >> >> Today's Topics: >> >> 1. Verifying 802.1x guest vlan. (Simon Baumann) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Wed, 26 Aug 2009 17:28:31 +0200 >> From: Simon Baumann <[email protected]> >> Subject: [OSL | CCIE_Security] Verifying 802.1x guest vlan. >> To: [email protected] >> Message-ID: <[email protected]> >> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes >> >> Hi, >> I just did a lab using cat3, acs, acs and xp for setting up an 802.1x >> environment. Everything works fine, I could assing different vlans >> based on the user credentials, DHCP included running on the switch. >> Here's the configuration of the port facing to the xp ws. >> >> cat3#sh run int fa 0/15 >> Building configuration... >> >> Current configuration : 184 bytes >> ! >> interface FastEthernet0/15 >> switchport mode access >> dot1x pae authenticator >> dot1x port-control auto >> dot1x violation-mode protect >> dot1x guest-vlan 66 >> dot1x auth-fail vlan 66 >> end >> >> cat3# >> >> I extended it using an auth-fail and guest-vlan. Just for my >> understanding: I could use the guest vlan to e. g. sperating guests >> from my lan and only allowing them internet access or something like >> this. >> The auth-fail vlan is used, when the authentication fails. If none is >> set, the port has no access. Is this correct? >> TIA! >> >> Cheers >> Simon >> >> >> >> End of CCIE_Security Digest, Vol 38, Issue 39 >> ********************************************* >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
