Auth-fail-vlan and guest-vlan for dot1x configuration in Cisco switches

Reference:

http://packetlife.net/blog/2008/aug/12/8021x-guest-vlans/
https://www.experts-exchange.com/questions/25115133/dot1x-auth-fail-vlan-not-working.html

Tested that both guest-vlan and auth-fail-vlan works as expected with the following configuration:

aaa new-model
aaa authentication dot1x default group radius
radius-server host **** auth-port ** acct-port ** key **
radius-server source-ports **

dot1x system-auth-control
dot1x guest-vlan supplicant

interface GigabitEthernet0/10
description 11a 10(11212)
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
dot1x reauthentication
dot1x guest-vlan 922
dot1x auth-fail vlan 923
dot1x auth-fail max-attempts 1

As discussed in the refered links, that auth-fail-vlan and guest-vlan can only work with the tuned configuraiton of max-req,auth-fail max-attempts and tx-period.

With the following configuration, client will stay in guest-vlan when authentication fails:
dot1x auth-fail max-attempts 3

With the following configuraiton , client will fallbacked in auth-fail-vlan when authentication fails:

interface GigabitEthernet0/10
description 11a 10(11212)
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
dot1x reauthentication
dot1x guest-vlan 922
dot1x auth-fail vlan 923
dot1x auth-fail max-attempts 3

With the following configuraiton, port is turned down when authentication fails:

dot1x guest-vlan supplicant

With the following configuration, port is turned down when authentication fails:

interface GigabitEthernet0/10
description 11a 10(11212)
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
dot1x reauthentication
dot1x guest-vlan 922
dot1x auth-fail vlan 923
dot1x auth-fail max-attempts 1

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s