When you don't have auth-fail vlan configured, then the failed users will remain in un-authorized state. To prevent this "dot1x guest-vlan supplicant" can be used.
I guess before 12.2(25)SE, auth-fail vlan concept was not present and hence "dot1x guest-vlan supplicant" was required. After 12.2(25)SE, which supports auth-fail "dot1x guest-vlan supplicant" doesn't have mucm importance as we can use same vlans for guest and auth-fail. The following snippet will clarify you. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/rel ease/12.2_25_see/configuration/guide/sw8021x.html Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the EAPOL packet history and allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL packets had been detected on the interface. You can enable this optional behavior by using the *dot1x guest-vlan supplicant* global configuration command. However, in Cisco IOS Release 12.2(25)SEE, the *dot1x guest-vlan supplicant* global configuration command is no longer supported. Use a restricted VLAN to allow clients that failed authentication access to the network by entering the *dot1x auth-fail vlan* *vlan-id* interface configuration command. With regards Kings On Wed, Jul 6, 2011 at 5:36 PM, Peter Debye <[email protected]> wrote: > Hello, > I wonder what could be a real-life scenario for this config? > If you want the authentication-failing hosts and supplicant-less hosts > to be treated equally then you may assign identical vlan ID to both > guest-vlan and restricted vlan. I believe, the global "dot1x > guest-vlan supplicant" > is not necessary then... > ============================== > > > Date: Wed, 6 Jul 2011 12:03:47 +0200 > > From: Piotr Matusiak <[email protected]> > > To: Kingsley Charles <[email protected]> > > Cc: [email protected] > > Subject: Re: [OSL | CCIE_Security] dot1x guest-vlan supplicant not > functional > Message-ID: > <CAHLkuyQe77Tzgmwcc2HUb9yTsbu=nH1uA+Nwhf=ytgcbg9f...@mail.gmail.com > > > Content-Type: text/plain; charset="windows-1252" > > Works for me: > > SW3#sh dot1x int g1/0/15 det > > Dot1x Info for GigabitEthernet1/0/15 > ----------------------------------- > PAE = AUTHENTICATOR > PortControl = AUTO > ControlDirection = Both > HostMode = SINGLE_HOST > Violation Mode = PROTECT > ReAuthentication = Disabled > QuietPeriod = 60 > ServerTimeout = 30 > SuppTimeout = 30 > ReAuthPeriod = 3600 (Locally configured) > ReAuthMax = 1 > MaxReq = 2 > TxPeriod = 3 > RateLimitPeriod = 0 > Guest-Vlan = 100 > > Dot1x Authenticator Client List Empty > > Domain = DATA > Port Status = AUTHORIZED > > Authorized By = Guest-Vlan > Operational HostMode = MULTI_HOST > Vlan Policy = 100 > > SW3#sh run | i dot1x > aaa authentication dot1x default group radius dot1x > system-auth-control dot1x guest-vlan supplicant dot1x pae > authenticator dot1x port-control auto dot1x violation-mode protect > dot1x timeout tx-period 3 dot1x max-reauth-req 1 dot1x guest-vlan > 100 > > Regards, > Piotr > > > 2011/7/5 Kingsley Charles <[email protected]> > > > Hi all > > > > After a failed authentication, the port remains in un-authorized state > > and is not put into the guest vlan when I have configured "dot1x > > guest-vlan supplicant". The 12.2(25)SE configuration guide claims that > > "dot1x guest-vlan supplicant" is no longer available while 12.2(44)SE > > has not mentioned that the command is removed. I am able to configure > > "dot1x guest-vlan supplicant" with 12.2(46)SE but it doesn't work. > > > > Any thoughts? > > > > *My configuration * > > > > dot1x guest-vlan supplicant > > ! > > interface FastEthernet1/0/2 > > switchport access vlan 2 > > switchport mode access > > dot1x pae authenticator > > dot1x port-control auto > > dot1x violation-mode shutdown > > dot1x max-reauth-req 1 > > dot1x reauthentication > > dot1x guest-vlan 3 > > > > > > > > Snippet from > > http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/rel > > ease/12.2_25_see/configuration/guide/sw8021x.html > > > > Using IEEE 802.1x Authentication with Guest VLAN > > > > You can configure a guest VLAN for each IEEE 802.1x port on the switch > > to provide limited services to clients, such as downloading the IEEE > > 802.1x client. These clients might be upgrading their system for IEEE > > 802.1x authentication, and some hosts, such as Windows 98 systems, > > might not be IEEE 802.1x-capable. > > > > When you enable a guest VLAN on an IEEE 802.1x port, the switch > > assigns clients to a guest VLAN when the switch does not receive a > > response to its EAP request/identity frame or when EAPOL packets are not > sent by the client. > > > > > > With Cisco IOS Release 12.2(25)SE and later, the switch maintains the > > EAPOL packet history. If an EAPOL packet is detected on the interface > > during the lifetime of the link, the switch determines that the device > > connected to that interface is an IEEE 802.1x-capable supplicant, and > > the interface does not change to the guest VLAN state. EAPOL history > > is cleared if the interface link status goes down. If no EAPOL packet > > is detected on the interface, the interface changes to the guest VLAN > state. > > > > Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the > > EAPOL packet history and allowed clients that failed authentication > > access to the guest VLAN, regardless of whether EAPOL packets had been > > detected on the interface. You can enable this optional behavior by > > using the *dot1x guest-vlan supplicant* global configuration command. > > However, in Cisco IOS Release 12.2(25)SEE, the *dot1x guest-vlan > > supplicant* global configuration command is no longer supported. Use a > > restricted VLAN to allow clients that failed authentication access to > > the network by entering the *dot1x auth-fail vlan* *vlan-id* interface > configuration command. > > > > Snippet from > > http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/rel > > ease/12.2_44_se/configuration/guide/sw8021x.html#wp1241915 > > > > Using IEEE 802.1x Authentication with Guest VLAN > > > > You can configure a guest VLAN for each IEEE 802.1x port on the switch > > to provide limited services to clients, such as downloading the IEEE > > 802.1x client. These clients might be upgrading their system for IEEE > > 802.1x authentication, and some hosts, such as Windows 98 systems, > > might not be IEEE 802.1x-capable. > > > > When you enable a guest VLAN on an IEEE 802.1x port, the switch > > assigns clients to a guest VLAN when the switch does not receive a > > response to its EAP request/identity frame or when EAPOL packets are not > sent by the client. > > > > > > With Cisco IOS Release 12.2(25)SE and later, the switch maintains the > > EAPOL packet history. If an EAPOL packet is detected on the interface > > during the lifetime of the link, the switch determines that the device > > connected to that interface is an IEEE 802.1x-capable supplicant, and > > the interface does not change to the guest VLAN state. EAPOL history > > is cleared if the interface link status goes down. If no EAPOL packet > > is detected on the interface, the interface changes to the guest VLAN > state. > > > > Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the > > EAPOL packet history and allowed clients that failed authentication > > access to the guest VLAN, regardless of whether EAPOL packets had been > > detected on the interface. You can enable this behavior by using the > > *dot1x guest-vlan > > supplicant* global configuration command. > > > > In Cisco IOS Release 12.2(25)SEE and later, if devices send EAPOL > > packets to the switch during the lifetime of the link, the switch no > > longer allows clients that fail authentication access to the guest VLAN. > > > > If the switch is trying to authorize an IEEE 802.1x-capable voice > > device and the AAA server is unavailable, the authorization attempt > > fails, but the detection of the EAPOL packet is saved in the EAPOL > > history. When the AAA server becomes available, the switch authorizes > > the voice device. However, the switch no longer allows other devices > > access to the guest VLAN. To prevent this situation, use one of these > command sequences: > > > > ?Enter the* dot1x guest-vlan supplicant *global configuration command > > to allow access to the guest VLAN. > > > > ?Enter the *shutdown* interface configuration command followed by the > > *no shutdown *interface configuration command to restart the port. > > > > With regards > > Kings > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, > > please visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > > www.PlatinumPlacement.com > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20110706/fded6bdd/attachment.html> > > End of CCIE_Security Digest, Vol 61, Issue 36 > ********************************************* >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
