802.1x with MAC Authentication Bypass, Guest Vlan and Auth-Fail Vlan

jspichalla · ‎01-16-2007

Hello,

I want test a scenario with different vlans. On my Switch Port is this following configured:

interface GigabitEthernet0/4

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

switchport port-security mac-address sticky

speed auto 100

dot1x mac-auth-bypass

dot1x critical recovery action reinitialize

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x control-direction in

dot1x timeout quiet-period 2

dot1x timeout server-timeout 2

dot1x timeout reauth-period server

dot1x timeout tx-period 1

dot1x timeout supp-timeout 2

dot1x max-reauth-req 1

dot1x reauthentication

dot1x guest-vlan 7

dot1x auth-fail vlan 7

dot1x critical vlan 6

spanning-tree portfast

spanning-tree bpduguard enable

My question is, can I combined this features on a port? By corrupted MAC-Address should be the PC in guest-vlan, by corrupted certificate should be the PC in Auth-Fail vlan.

Is that correct?

thanks for your response

Jens

Amit Singh · ‎01-16-2007

Jens,

I am in doubt that this thing will work. As dot1x is not doing the MAC authentication in this case and Port-security will come into the picture first.If it is the sixth/corrupted mac-address port-security will not allow the traffic to passs at all and all the packets from the source MAC will all the dropped.This will not allow the dot1x to do the vlan mapping.

The other feature will definately work i.e the corrupted certificate PC will fall in the Auth-fail Vlan.

HTH,

-amit singh