Hi all After a failed authentication, the port remains in un-authorized state and is not put into the guest vlan when I have configured "dot1x guest-vlan supplicant". The 12.2(25)SE configuration guide claims that "dot1x guest-vlan supplicant" is no longer available while 12.2(44)SE has not mentioned that the command is removed. I am able to configure "dot1x guest-vlan supplicant" with 12.2(46)SE but it doesn't work.
Any thoughts? *My configuration * dot1x guest-vlan supplicant ! interface FastEthernet1/0/2 switchport access vlan 2 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x violation-mode shutdown dot1x max-reauth-req 1 dot1x reauthentication dot1x guest-vlan 3 Snippet from http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/sw8021x.html Using IEEE 802.1x Authentication with Guest VLAN You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to clients, such as downloading the IEEE 802.1x client. These clients might be upgrading their system for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable. When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN when the switch does not receive a response to its EAP request/identity frame or when EAPOL packets are not sent by the client. With Cisco IOS Release 12.2(25)SE and later, the switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.1x-capable supplicant, and the interface does not change to the guest VLAN state. EAPOL history is cleared if the interface link status goes down. If no EAPOL packet is detected on the interface, the interface changes to the guest VLAN state. Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the EAPOL packet history and allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL packets had been detected on the interface. You can enable this optional behavior by using the *dot1x guest-vlan supplicant* global configuration command. However, in Cisco IOS Release 12.2(25)SEE, the *dot1x guest-vlan supplicant* global configuration command is no longer supported. Use a restricted VLAN to allow clients that failed authentication access to the network by entering the *dot1x auth-fail vlan* *vlan-id* interface configuration command. Snippet from http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1241915 Using IEEE 802.1x Authentication with Guest VLAN You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to clients, such as downloading the IEEE 802.1x client. These clients might be upgrading their system for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable. When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN when the switch does not receive a response to its EAP request/identity frame or when EAPOL packets are not sent by the client. With Cisco IOS Release 12.2(25)SE and later, the switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.1x-capable supplicant, and the interface does not change to the guest VLAN state. EAPOL history is cleared if the interface link status goes down. If no EAPOL packet is detected on the interface, the interface changes to the guest VLAN state. Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the EAPOL packet history and allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL packets had been detected on the interface. You can enable this behavior by using the *dot1x guest-vlan supplicant* global configuration command. In Cisco IOS Release 12.2(25)SEE and later, if devices send EAPOL packets to the switch during the lifetime of the link, the switch no longer allows clients that fail authentication access to the guest VLAN. If the switch is trying to authorize an IEEE 802.1x-capable voice device and the AAA server is unavailable, the authorization attempt fails, but the detection of the EAPOL packet is saved in the EAPOL history. When the AAA server becomes available, the switch authorizes the voice device. However, the switch no longer allows other devices access to the guest VLAN. To prevent this situation, use one of these command sequences: •Enter the* dot1x guest-vlan supplicant *global configuration command to allow access to the guest VLAN. •Enter the *shutdown* interface configuration command followed by the *no shutdown *interface configuration command to restart the port. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
