Cisco Support Community
Community Member

802.1x Guest access when unauthenticated

During testing, I took my test PC off the domain but did not disable 802.1x. When Win2k booted, it was seen as unauthenticated and never was put in the Guest Vlan. I read another post from March and it sounds like this is expected.

If this is true, how do you handle a vendor that needs to plug into your network, but has 802.1x enabled because maybe their corporate network uses it? Is there any way to say if they are not authenicated, go into the Guest Vlan? I'm guessing the solution is to tell them to turn off 802.1x but I don't want to be involved everytime vendors need to get on our network.

Community Member

Re: 802.1x Guest access when unauthenticated


In your scenario, you can turn on the auth-fail-vlan feature. Newer IOS or CatOS supports this feature.

For IOS you have to turn the feature on globally: dot1x guest-vlan supplicant. Assign the guest-vlan in the interface with the command: dot1x guest-vlan

For CatOS: set port dot1x auth-fail-vlan

Try it because it doesn't seem to work in my environment !!!! (It should work.)

Turning on the dot1x feature, nightmare begins.....

Community Member

Re: 802.1x Guest access when unauthenticated

I tried the dot1x guest-vlan supplicant but looks like my IOS is older. I'll check out a newer version. I did do the dot1x guest-vlan command on the port. If the client has 802.1x turned off, it works. But if it's on but can't authenticate (like a real world vendor connecting might have it on), the port just sits in an unauthenticated mode.

I figured I would learn 802.1x with NAC for switches almost here but everytime I get a problem solved, I test another scenario and more problems arise. Since we have a lot of Windows 2000 still, many Vlans (mainly location and application specific), vendors needing to plug in (main drive to get this working), and a lot of medical equipment that doesn't support 802.1x, this isn't looking too good. I checked into the MeetingHouse client but it is very pricey for just being an agent. Next test is a domain PC but logging in locally. Can't wait to see what that does.

Community Member

Re: 802.1x Guest access when unauthenticated


We have 12.2(25)SEC in our IOS switch(3750). It is stable with dot1x authentication(PEAP, dynamic vlan,guest vlan, user/machine auth). But the feature you want, let's call it auth-fail-vlan, does not work in current version, although it should work according to Cisco document.

Today, I found the "802.1x restricted VLAN" feature in Cisco newly released 12.2(25)SED IOS. There is a command "dot1x auth-fail vlan" like CatOS. I would find time to test.

Suggestions for your reference:

1. For dot1x, 95% is supplicant problem. Try to search with 802.1x or supplicant key word. You will find some good hints and hotfixes that make the supplicant stable.

2. For employees in your company, add the registry key below(have a test before deployment).




Those are for both user and machine authentication.

Export it after a successful test for deployment convenient.

3. For medical equipment, if it is not "mobile", "force-authorize" it with a description.

4. For vendors or visitor, just put them in guest vlan. For those which have dot1x configured in their laptops, the swith must support "auth-fail-vlan".

Let me guess the result of your next test:the PC will be in unauthorized state.

Before GINA, the PC will be authorized in its VLAN if you have machine auth.(use show dot1x int to see)

Since you log in locally, PC will be authenticated again and be put in unauthorized state.



Community Member

Re: 802.1x Guest access when unauthenticated

I found the dot1x auth-fail vlan feature while going through release notes. I was on 12.2(20)SE and upgraded to 12.2(25)SED and this fixes the problem I originally posted about. It takes awhile though to go into that Vlan but finally did after canceling the authenication windows enough times in Win2K. I probably need to mess with the timeouts and AuthFail-Max-Attempts.

Regarding your dynamic vlan setup, are you referring to assigning vlan's through ACS? I'm still trying to get this to work properly with Windows 2000. I have another post about it but basically if I assign a vlan during machine auth, it works. If then the user is assigned to a different vlan, Win2K won't pick up a new IP (I understand XP SP2 will though). If I don't assign a vlan for the user, then the port goes back to the vlan configured in nvram and doesn't stay in the vlan assigned to the PC.

Thanks for your input.

CreatePlease to create content