Hi Pros,

              I run into some when trying to use guess vlan in dot1x authentication. The client is able to grab an IP in the guess vlan;however, it can't go to the Internet. Client in the guess vlan is able to ping other vlan(different subnets). There is client port access below. This is not vlan issue as any host connected to the vlan, when not using dot1x guess_vlan, able to browse the Internet.! AND when I use the guess vlan as a simple access vlan, the client is able to go to the Internet.

interface FastEthernet0/12
switchport access vlan 165
switchport mode access
dot1x port-control auto
dot1x max-req 4
dot1x max-reauth-req 4
dot1x guest-vlan 161 ----> does grab IP from this vlan,but can't go to the Internet.
dot1x reauthentication
spanning-tree portfast
!

802.1X_Test#sho dot1x int f0/12
Supplicant MAC <Not Applicable>
   AuthSM State      = AUTHENTICATED(GUEST_VLAN)
   BendSM State      = IDLE
   Posture           = N/A
   ReAuthPeriod      = 3600 Seconds (Locally Configured)
   ReAuthAction      = Reauthenticate
   TimeToNextReauth  = N/A
PortStatus        = AUTHORIZED(GUEST-VLAN)
MaxReq            = 4
MaxAuthReq        = 4
HostMode          = Single
Port Control      = Auto
ControlDirection  = Both
QuietPeriod       = 10 Seconds
Re-authentication = Enabled
ReAuthPeriod      = 3600 Seconds
ServerTimeout     = 30 Seconds
SuppTimeout       = 30 Seconds
TxPeriod          = 15 Seconds
Guest-Vlan        = 161

thanks,

----Jean Paul