Hi Piotr, You have mentioned that host is without supplicant. By definition, host failing authentication is put into guest vlan when"dot1x guest-vlan supplicant" is configured.
Failed MAB authentication users are put into guest vlan by default and hence it doesn't require "dot1x guest-vlan supplicant". So, since your doesn't have supplicant, what is that it is actually failing? With regards Kings On Wed, Jul 6, 2011 at 5:06 PM, Piotr Matusiak <[email protected]> wrote: > yes, hosts without supplicant. > > > 2011/7/6 Kingsley Charles <[email protected]> > >> Piotr, just wanted to confirm. With "dot1x guest-vlan supplicant", failed >> users are put into the guest vlan in your output. Is my understanding >> correct? >> >> >> With regards >> Kings >> >> On Wed, Jul 6, 2011 at 3:34 PM, Piotr Matusiak <[email protected]> wrote: >> >>> checked on >>> >>> SW3#sh ver | i IOS >>> Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version >>> 12.2(44)SE6, RELEASE SOFTWARE (fc1) >>> >>> >>> >>> 2011/7/5 Kingsley Charles <[email protected]> >>> >>>> Hi all >>>> >>>> After a failed authentication, the port remains in un-authorized state >>>> and is not put into the guest vlan when I have configured "dot1x >>>> guest-vlan supplicant". The 12.2(25)SE configuration guide claims that >>>> "dot1x >>>> guest-vlan supplicant" is no longer available while 12.2(44)SE has not >>>> mentioned that the command is removed. I am able to configure "dot1x >>>> guest-vlan supplicant" with 12.2(46)SE but it doesn't work. >>>> >>>> Any thoughts? >>>> >>>> *My configuration * >>>> >>>> dot1x guest-vlan supplicant >>>> ! >>>> interface FastEthernet1/0/2 >>>> switchport access vlan 2 >>>> switchport mode access >>>> dot1x pae authenticator >>>> dot1x port-control auto >>>> dot1x violation-mode shutdown >>>> dot1x max-reauth-req 1 >>>> dot1x reauthentication >>>> dot1x guest-vlan 3 >>>> >>>> >>>> >>>> Snippet from >>>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/sw8021x.html >>>> >>>> Using IEEE 802.1x Authentication with Guest VLAN >>>> >>>> You can configure a guest VLAN for each IEEE 802.1x port on the switch >>>> to provide limited services to clients, such as downloading the IEEE 802.1x >>>> client. These clients might be upgrading their system for IEEE 802.1x >>>> authentication, and some hosts, such as Windows 98 systems, might not be >>>> IEEE 802.1x-capable. >>>> >>>> When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns >>>> clients to a guest VLAN when the switch does not receive a response to its >>>> EAP request/identity frame or when EAPOL packets are not sent by the >>>> client. >>>> >>>> >>>> With Cisco IOS Release 12.2(25)SE and later, the switch maintains the >>>> EAPOL packet history. If an EAPOL packet is detected on the interface >>>> during >>>> the lifetime of the link, the switch determines that the device connected >>>> to >>>> that interface is an IEEE 802.1x-capable supplicant, and the interface does >>>> not change to the guest VLAN state. EAPOL history is cleared if the >>>> interface link status goes down. If no EAPOL packet is detected on the >>>> interface, the interface changes to the guest VLAN state. >>>> >>>> Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the >>>> EAPOL packet history and allowed clients that failed authentication access >>>> to the guest VLAN, regardless of whether EAPOL packets had been detected on >>>> the interface. You can enable this optional behavior by using the *dot1x >>>> guest-vlan supplicant* global configuration command. However, in Cisco >>>> IOS Release 12.2(25)SEE, the *dot1x guest-vlan supplicant* global >>>> configuration command is no longer supported. Use a restricted VLAN to >>>> allow >>>> clients that failed authentication access to the network by entering the >>>> *dot1x auth-fail vlan* *vlan-id* interface configuration command. >>>> >>>> Snippet from >>>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1241915 >>>> >>>> Using IEEE 802.1x Authentication with Guest VLAN >>>> >>>> You can configure a guest VLAN for each IEEE 802.1x port on the switch >>>> to provide limited services to clients, such as downloading the IEEE 802.1x >>>> client. These clients might be upgrading their system for IEEE 802.1x >>>> authentication, and some hosts, such as Windows 98 systems, might not be >>>> IEEE 802.1x-capable. >>>> >>>> When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns >>>> clients to a guest VLAN when the switch does not receive a response to its >>>> EAP request/identity frame or when EAPOL packets are not sent by the >>>> client. >>>> >>>> >>>> With Cisco IOS Release 12.2(25)SE and later, the switch maintains the >>>> EAPOL packet history. If an EAPOL packet is detected on the interface >>>> during >>>> the lifetime of the link, the switch determines that the device connected >>>> to >>>> that interface is an IEEE 802.1x-capable supplicant, and the interface does >>>> not change to the guest VLAN state. EAPOL history is cleared if the >>>> interface link status goes down. If no EAPOL packet is detected on the >>>> interface, the interface changes to the guest VLAN state. >>>> >>>> Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the >>>> EAPOL packet history and allowed clients that failed authentication access >>>> to the guest VLAN, regardless of whether EAPOL packets had been detected on >>>> the interface. You can enable this behavior by using the *dot1x >>>> guest-vlan supplicant* global configuration command. >>>> >>>> In Cisco IOS Release 12.2(25)SEE and later, if devices send EAPOL >>>> packets to the switch during the lifetime of the link, the switch no longer >>>> allows clients that fail authentication access to the guest VLAN. >>>> >>>> If the switch is trying to authorize an IEEE 802.1x-capable voice device >>>> and the AAA server is unavailable, the authorization attempt fails, but the >>>> detection of the EAPOL packet is saved in the EAPOL history. When the AAA >>>> server becomes available, the switch authorizes the voice device. However, >>>> the switch no longer allows other devices access to the guest VLAN. To >>>> prevent this situation, use one of these command sequences: >>>> >>>> •Enter the* dot1x guest-vlan supplicant *global configuration command >>>> to allow access to the guest VLAN. >>>> >>>> •Enter the *shutdown* interface configuration command followed by the *no >>>> shutdown *interface configuration command to restart the port. >>>> >>>> With regards >>>> Kings >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
