Thanks for the timely responds Amit. I have 4506 with IOS 12.2.25EWA1 at the edges and the cores are running 6500 with CatOS currently (Getting IOS upgrade in 2 weeks to newest IOS). I am in the process of reading over the links you provided.

I am concerned however in the configuration of actual client machines. For our secure users an AD policy could set the network interface for 802.1x and for guest with or without 802.1x enabled that would just put them either in the guest network or dummy vlan?

Basically for 802.1x to need a Client supplicant on the users desktop. Windows XP has a client supplicant which support basic EAP or 802.1x authentication.Cisco has a 802.1x client that you can use on the uers desktop for EAPoL autenctication.

If you dont have users with 802.1x enabled client, they will not be able to acuthencticate on the network and you can sinple place them in the authentication failled vlan or dummy vlan. This authentication failed vlan can be the same as your guest vlan or you can keep the guest vlan different for your guest with limited internet connectivity.

You need to upgrade your switches to atleast 12.2.25SG release for " Authentication" failed vlan support.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_relevant_interfaces_and_modules.html#gigabit

HTH,Please rate if it does.

-amit singh

I'm also investigating 802.1x for wired authentication. I got it working well on a Cisco 3750, and would like to pilot it to a small group of users if possible.

But I'm really curious to hear feedback from people who have implemented wired 802.1x! How did you roll it out, and how well is it working? Have users noticed any difference?

We plan on using the Microsoft XP supplicant instead of buying a third party supplicant, and I'm also wondering how well that has worked for other companies. Right our next step is figuring out how to configure users' wired 802.1x profiles, without them having to config it themselves.