802.1x Guest Vlan

Unanswered Question
Aug 10th, 2010

I'm running 12.2 (52) and (53) on many of my 3560 switches. I am testing 802.1x Authentication. I have it working but i'm also wanting to get the Guest-VLAN working. I enable the global command "dot1x guest-vlan supplicant" but when i go to Interface mode and try to run "dot1x guest-vlan" there isn't an option for guest vlan. Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cowetacoit Tue, 08/10/2010 - 12:02

i just discovered that this is a hidden command. When i ran this command the switch put this command on the interface. I have a local DHCP scope for the guest vlan but my test computer isn't grabbing an IP. Any suggestions?

interface FastEthernet0/1
switchport access vlan 10
switchport mode access
switchport voice vlan 30
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
authentication event no-response action authorize vlan 20
authentication port-control auto
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
spanning-tree portfast

Yudong Wu Tue, 08/10/2010 - 12:31

"authentication event no-response action authorize vlan 20" is for IAB feature, which will kick in when the swich does not get response from AAA server.

You need use "show dot1x int x/y detail" to find out what the interface dot1x state is when the device is plugged into the port.

If you see the port is assigned to port 20 by IAB, your host should be able to get the IP address. Is your DHCP server in vlan 20? If not, do you have "ip helper" configured under vlan 20 interface?

Guest vlan should work based on configuration guide.


cowetacoit Tue, 08/10/2010 - 12:46

ok, everything seems to be working properly now. My TEST PC that doesn't have 802.1X/PEAP configured goes into the Guest-VLAN and gets an IP Address from DHCP. I'm in the process of building some route-maps to point the Guest-VLAN out a seperate public internet connection we have. Like i mentioned before the commands have changed but seem to be working. I also tweaked the dot1x timers because my TEST PC was getting a 169 auto config before the dot1x timer expired.

dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1

Also, here is my SHOW DOT1X INTERFACE output. I do not see anything to do ith the Guest-VLAN altough it is in it currently and has a dhcp IP

sh dot1x interface fa0/1
Dot1x Info for FastEthernet0/1
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
QuietPeriod               = 10
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 1
TxPeriod                  = 5


This Discussion