I'm doing some dot1x/eap-tls here, and everything is going quite well. I can assign vlans over radius/ldap to the clients, including guest-vlans for those without a certificate. What gives me headaches is: I can not see any logging from the switch (2960), if a client is assigned to a guest vlan because of a missing certificate. With a bunch of switches, I would like to see some logging message for this, to see the port and maybe a mac-address, so that I would be able to forward this to other instances/monitoring systems. Is there a way to make the switch more talkative regarding this? All I can see now is up/down in the syslog, the AAA-server can't handle this, because the switch won't authenticate the client without a certificate. Debug dot1x is quite clear here, but the setting gets lost after reboot. Did anybody manage to bring some transparence into this?