I have dot1x setup on a 3560. I basically have 3 vlans configured.
All ports are in vlan "guest (vlan 10)" by default. The authenticated "AUTH" vlan is pushed by the radius server after successful authentication. And finally I have a guest/auth-fail vlan for non-dot1x capable machines.
Everything works fine except that when I connect windows XP machine which is not on the domain then I am not assigned to a guest vlan. The port stays in unauthorized state and a "show interface" output shows that the port is up but line protocol is down.
It works sometimes but other times it doesnt.
Is there a trick to it. Also I read an article on ciscos website which was specific to XP and dot1x i.e. the switches waits ~ 180 seconds and you need to plug the cable in/out of the switch to make it to work...I havent tried this yet but anybody has any better ideas then this technique.
I have the standard config:
dot1x port-control auto
dot1x guest-vlan 10
dot1x auth-fail vlan 10
I am thinking of tweaking the "quite period" and the switch-to-client retransmission timeout values.
Note: Like I mentioned earlier. After successful authentication corporate clients are put in the correct vlan. Its just the "guest" vlan piece which is not working.
Thoughts? pointers? Comments?