Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x port-auth and GuestVlan ~ reauth


How can I configure switch WS-3750-24TS-S IOS 12.2(35) to

re-authenticate client on its port with 802.1x? Or How can I teach the switch to understand, then non802.1Ñ…-compliant client on its port suddenly gets 802.1Ñ…-compliant???

There is LAN with RADIUS authentication. GuestVLAN (666) is for remote installation. Client boots from LAN-adapter and gets WindowsXP-image installation. After booting OS Windows XP client is still in GuestVLAN and can get out of it only if I shut/no shut its switch-port or make him reauthenticate manually from the switch. If no GuestVLAN is enabled on the port client with OS Windows XP authenticates in 802.1x fine.

HELP!!!! please.

P.S.: notes from switch-config

SWITCH (config-if)#do sh run int fa 1/0/1

Building configuration...

Current configuration : 112 bytes


interface FastEthernet1/0/1

switchport access vlan 111

switchport mode access

speed 100

duplex full

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 3

dot1x timeout reauth-period 50

dot1x timeout tx-period 5

dot1x max-reauth-req 5

dot1x reauthentication

dot1x guest-vlan 666

spanning-tree portfast

spanning-tree bpdufilter enable


SWITCH (config-if)#do sh run int fa 1/0/24

Building configuration...

Current configuration : 112 bytes


interface FastEthernet1/0/24

switchport access vlan 666

switchport mode access


SWITCH (config-if)#do sh vlan

111 Common active Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5

666 test_for_MS_WDS active Fa1/0/1, Gi1/0/24

version 12.2

no service pad

service password-encryption

service sequence-numbers


hostname SWITCH


enable secret 5 $1$qFPMXYZHQw87HPd7SUpMohXYZQ0


aaa new-model

aaa authentication dot1x default group radius local

aaa authorization network default group radius

aaa accounting session-duration ntp-adjusted

aaa accounting dot1x default start-stop group radius

aaa session-id common

system mtu routing 1500

ip subnet-zero

no ip domain-lookup

ip domain-name XXXXXX.local




crypto pki trustpoint TP-self-signed-2731960704

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2731960704

revocation-check none

rsakeypair TP-self-signed-2731960704



dot1x system-auth-control


vlan internal allocation policy ascending



radius-server host auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key 7 0XXX1B675DXXXX17XX06

Cisco Employee

Re: 802.1x port-auth and GuestVlan ~ reauth

It's probably b/c the MSFT supplicant isn't configured to send EAPOL-Starts by default. This is controlled with registry keys. Could you modify them and make this part of your standard build? That should do the trick.

New Member

Re: 802.1x port-auth and GuestVlan ~ reauth


Thank you for reply!

Was I understand you correctly?

I make some wrong points in Windows XP TCP-properties? (See attachtment, please).


Cisco Employee

Re: 802.1x port-auth and GuestVlan ~ reauth

Like I said, it's not in the GUI ;-). Look here:

The SupplicantMode key is what you need.