dot1x guest vlan problem

Unanswered Question
Dec 28th, 2007


When PC is starting, until welcome screen(user-password screen) appears at windows XP; switch determines PC that PC is not dot1x enabled then switch puts PC to guest vlan. How can i fix this problem?

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gopinath.krishn... Fri, 12/28/2007 - 03:21

hey can u tell me,

how switch is been configured for dot1x and whether it is talking to any radius server..

please do brief ur setup...

well if u have this command on the interface

dot1x guest vlan

then undo this command on that switch port..

this should help

Muhammed AKYUZ Fri, 12/28/2007 - 03:37


it is talking to radius. I do not have problem with auth. Switch assigns ports to guest vlan if the PC or client is not dot1x enabled at WinXp and mac address auth fails. But during Pc startup, until welcome screen appears, switach asks PC if PC is dot1x enabled and PC says: no because winxp not loaded yet. So switch asks mac address and does not auth the mac address because it is no in list. So switch assigns PC to guest vlan. Then PC gets guest vlan ip and it does not change. My real question is how can i extend the time that switch bypass mac auth..


interface FastEthernet0/47

switchport mode access

switchport port-security maximum 3

switchport port-security

switchport port-security violation protect

dot1x mac-auth-bypass eap

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 3

dot1x timeout reauth-period 20

dot1x max-req 1

dot1x guest-vlan 20

storm-control broadcast level bps 1m

storm-control multicast level bps 1m

spanning-tree portfast

spanning-tree bpduguard enable

ip verify source


gopinath.krishn... Fri, 12/28/2007 - 04:16


i think we are sailing on the same boat... if possible please have a look into the conversation titled " Configuring IEEE 802.1x Port-Based Configuration"....

am trying to enable dot1x auth on our LAN, and decided to use mac-auth-bypass... well i think the switch config is good... but the pc is not getting autheticated with acs.. i have added pc mac address on the local acs datatbase... and have also created a username/password with pc's mac addresss. I am getting an error log in ACS as " Auth Failed " .. hope you could help me with this...

am trying to get solution for ur problem... correct me if i m wrong... you wanted to extend the time period of switch bypass mac auth.... right



Muhammed AKYUZ Fri, 12/28/2007 - 04:40


Check ACS logs. why auth fails, check user name at the log and you entered at ACS. Mac address types sometime mismatch. example: abcd.234f.123d or abcd234f123d or ABCD.234d.123D these are all same mac address but ACS recognize different.

gopinath.krishn... Fri, 12/28/2007 - 04:48


the username which we create on the acs with the mac adddress... do we have to follow any specific format for that

i mean does it has to be 0018.fe67.05bb or 0018-FE67-05BB or

00-18-FE-67-05-BB or 0018FE6705BB

on acs i get this log error "/22/2006,04:55:12,Authen failed,0018fe6705bb,Default Group,00-18-FE-67-05-BB,(Default),Internal error,,,50002,,,,,,,,"



Muhammed AKYUZ Fri, 12/28/2007 - 05:09


i checked our acs. the format has to be 000c29a6480e and password must be same. also did you happen to setup VLAN ID and 802 at ACS.


This Discussion