Exactly, when you configure auth-fail, it takes priority and user is put into auth-fail even, if "dot1x guest-vlan supplicant" is configured. With auth-fail configured, "dot1x guest-vlan supplicant" is just ignored.
Thanks Piotr. With regards Kings On Wed, Jul 6, 2011 at 7:18 PM, Piotr Matusiak <[email protected]> wrote: > As far as I remember it worked that way before introducing fail-vlan. Now, > hosts without supplicant is going to guest-vlan, and hosts failing > authentication is going to fail-vlan. > > Regards, > Piotr > > > > 2011/7/6 Kingsley Charles <[email protected]> > >> Hi Piotr, >> >> You have mentioned that host is without supplicant. By definition, host >> failing authentication is put into guest vlan when"dot1x guest-vlan >> supplicant" is configured. >> >> Failed MAB authentication users are put into guest vlan by default and >> hence it doesn't require "dot1x guest-vlan supplicant". >> >> So, since your doesn't have supplicant, what is that it is actually >> failing? >> >> With regards >> Kings >> >> >> On Wed, Jul 6, 2011 at 5:06 PM, Piotr Matusiak <[email protected]> wrote: >> >>> yes, hosts without supplicant. >>> >>> >>> 2011/7/6 Kingsley Charles <[email protected]> >>> >>>> Piotr, just wanted to confirm. With "dot1x guest-vlan supplicant", >>>> failed users are put into the guest vlan in your output. Is my >>>> understanding >>>> correct? >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> On Wed, Jul 6, 2011 at 3:34 PM, Piotr Matusiak <[email protected]> wrote: >>>> >>>>> checked on >>>>> >>>>> SW3#sh ver | i IOS >>>>> Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version >>>>> 12.2(44)SE6, RELEASE SOFTWARE (fc1) >>>>> >>>>> >>>>> >>>>> 2011/7/5 Kingsley Charles <[email protected]> >>>>> >>>>>> Hi all >>>>>> >>>>>> After a failed authentication, the port remains in un-authorized state >>>>>> and is not put into the guest vlan when I have configured "dot1x >>>>>> guest-vlan supplicant". The 12.2(25)SE configuration guide claims >>>>>> that "dot1x guest-vlan supplicant" is no longer available while >>>>>> 12.2(44)SE >>>>>> has not mentioned that the command is removed. I am able to configure >>>>>> "dot1x >>>>>> guest-vlan supplicant" with 12.2(46)SE but it doesn't work. >>>>>> >>>>>> Any thoughts? >>>>>> >>>>>> *My configuration * >>>>>> >>>>>> dot1x guest-vlan supplicant >>>>>> ! >>>>>> interface FastEthernet1/0/2 >>>>>> switchport access vlan 2 >>>>>> switchport mode access >>>>>> dot1x pae authenticator >>>>>> dot1x port-control auto >>>>>> dot1x violation-mode shutdown >>>>>> dot1x max-reauth-req 1 >>>>>> dot1x reauthentication >>>>>> dot1x guest-vlan 3 >>>>>> >>>>>> >>>>>> >>>>>> Snippet from >>>>>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/sw8021x.html >>>>>> >>>>>> Using IEEE 802.1x Authentication with Guest VLAN >>>>>> >>>>>> You can configure a guest VLAN for each IEEE 802.1x port on the switch >>>>>> to provide limited services to clients, such as downloading the IEEE >>>>>> 802.1x >>>>>> client. These clients might be upgrading their system for IEEE 802.1x >>>>>> authentication, and some hosts, such as Windows 98 systems, might not be >>>>>> IEEE 802.1x-capable. >>>>>> >>>>>> When you enable a guest VLAN on an IEEE 802.1x port, the switch >>>>>> assigns clients to a guest VLAN when the switch does not receive a >>>>>> response >>>>>> to its EAP request/identity frame or when EAPOL packets are not sent by >>>>>> the >>>>>> client. >>>>>> >>>>>> With Cisco IOS Release 12.2(25)SE and later, the switch maintains the >>>>>> EAPOL packet history. If an EAPOL packet is detected on the interface >>>>>> during >>>>>> the lifetime of the link, the switch determines that the device >>>>>> connected to >>>>>> that interface is an IEEE 802.1x-capable supplicant, and the interface >>>>>> does >>>>>> not change to the guest VLAN state. EAPOL history is cleared if the >>>>>> interface link status goes down. If no EAPOL packet is detected on the >>>>>> interface, the interface changes to the guest VLAN state. >>>>>> >>>>>> Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the >>>>>> EAPOL packet history and allowed clients that failed authentication >>>>>> access >>>>>> to the guest VLAN, regardless of whether EAPOL packets had been detected >>>>>> on >>>>>> the interface. You can enable this optional behavior by using the *dot1x >>>>>> guest-vlan supplicant* global configuration command. However, in >>>>>> Cisco IOS Release 12.2(25)SEE, the *dot1x guest-vlan supplicant*global >>>>>> configuration command is no longer supported. Use a restricted VLAN >>>>>> to allow clients that failed authentication access to the network by >>>>>> entering the *dot1x auth-fail vlan* *vlan-id* interface configuration >>>>>> command. >>>>>> >>>>>> Snippet from >>>>>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1241915 >>>>>> >>>>>> Using IEEE 802.1x Authentication with Guest VLAN >>>>>> >>>>>> You can configure a guest VLAN for each IEEE 802.1x port on the switch >>>>>> to provide limited services to clients, such as downloading the IEEE >>>>>> 802.1x >>>>>> client. These clients might be upgrading their system for IEEE 802.1x >>>>>> authentication, and some hosts, such as Windows 98 systems, might not be >>>>>> IEEE 802.1x-capable. >>>>>> >>>>>> When you enable a guest VLAN on an IEEE 802.1x port, the switch >>>>>> assigns clients to a guest VLAN when the switch does not receive a >>>>>> response >>>>>> to its EAP request/identity frame or when EAPOL packets are not sent by >>>>>> the >>>>>> client. >>>>>> >>>>>> With Cisco IOS Release 12.2(25)SE and later, the switch maintains the >>>>>> EAPOL packet history. If an EAPOL packet is detected on the interface >>>>>> during >>>>>> the lifetime of the link, the switch determines that the device >>>>>> connected to >>>>>> that interface is an IEEE 802.1x-capable supplicant, and the interface >>>>>> does >>>>>> not change to the guest VLAN state. EAPOL history is cleared if the >>>>>> interface link status goes down. If no EAPOL packet is detected on the >>>>>> interface, the interface changes to the guest VLAN state. >>>>>> >>>>>> Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the >>>>>> EAPOL packet history and allowed clients that failed authentication >>>>>> access >>>>>> to the guest VLAN, regardless of whether EAPOL packets had been detected >>>>>> on >>>>>> the interface. You can enable this behavior by using the *dot1x >>>>>> guest-vlan supplicant* global configuration command. >>>>>> >>>>>> In Cisco IOS Release 12.2(25)SEE and later, if devices send EAPOL >>>>>> packets to the switch during the lifetime of the link, the switch no >>>>>> longer >>>>>> allows clients that fail authentication access to the guest VLAN. >>>>>> >>>>>> If the switch is trying to authorize an IEEE 802.1x-capable voice >>>>>> device and the AAA server is unavailable, the authorization attempt >>>>>> fails, >>>>>> but the detection of the EAPOL packet is saved in the EAPOL history. When >>>>>> the AAA server becomes available, the switch authorizes the voice device. >>>>>> However, the switch no longer allows other devices access to the guest >>>>>> VLAN. >>>>>> To prevent this situation, use one of these command sequences: >>>>>> >>>>>> •Enter the* dot1x guest-vlan supplicant *global configuration command >>>>>> to allow access to the guest VLAN. >>>>>> >>>>>> •Enter the *shutdown* interface configuration command followed by the >>>>>> *no shutdown *interface configuration command to restart the port. >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>> www.PlatinumPlacement.com >>>>>> >>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
