During testing, I took my test PC off the domain but did not disable 802.1x. When Win2k booted, it was seen as unauthenticated and never was put in the Guest Vlan. I read another post from March and it sounds like this is expected.
If this is true, how do you handle a vendor that needs to plug into your network, but has 802.1x enabled because maybe their corporate network uses it? Is there any way to say if they are not authenicated, go into the Guest Vlan? I'm guessing the solution is to tell them to turn off 802.1x but I don't want to be involved everytime vendors need to get on our network.
I tried the dot1x guest-vlan supplicant but looks like my IOS is older. I'll check out a newer version. I did do the dot1x guest-vlan command on the port. If the client has 802.1x turned off, it works. But if it's on but can't authenticate (like a real world vendor connecting might have it on), the port just sits in an unauthenticated mode.
I figured I would learn 802.1x with NAC for switches almost here but everytime I get a problem solved, I test another scenario and more problems arise. Since we have a lot of Windows 2000 still, many Vlans (mainly location and application specific), vendors needing to plug in (main drive to get this working), and a lot of medical equipment that doesn't support 802.1x, this isn't looking too good. I checked into the MeetingHouse client but it is very pricey for just being an agent. Next test is a domain PC but logging in locally. Can't wait to see what that does.
We have 12.2(25)SEC in our IOS switch(3750). It is stable with dot1x authentication(PEAP, dynamic vlan,guest vlan, user/machine auth). But the feature you want, let's call it auth-fail-vlan, does not work in current version, although it should work according to Cisco document.
Today, I found the "802.1x restricted VLAN" feature in Cisco newly released 12.2(25)SED IOS. There is a command "dot1x auth-fail vlan" like CatOS. I would find time to test.
Suggestions for your reference:
1. For dot1x, 95% is supplicant problem. Try to search support.microsoft.com with 802.1x or supplicant key word. You will find some good hints and hotfixes that make the supplicant stable.
2. For employees in your company, add the registry key below(have a test before deployment).
I found the dot1x auth-fail vlan feature while going through release notes. I was on 12.2(20)SE and upgraded to 12.2(25)SED and this fixes the problem I originally posted about. It takes awhile though to go into that Vlan but finally did after canceling the authenication windows enough times in Win2K. I probably need to mess with the timeouts and AuthFail-Max-Attempts.
Regarding your dynamic vlan setup, are you referring to assigning vlan's through ACS? I'm still trying to get this to work properly with Windows 2000. I have another post about it but basically if I assign a vlan during machine auth, it works. If then the user is assigned to a different vlan, Win2K won't pick up a new IP (I understand XP SP2 will though). If I don't assign a vlan for the user, then the port goes back to the vlan configured in nvram and doesn't stay in the vlan assigned to the PC.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...