Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to change vlan after successful dot1x authentication (ACS4.1)


I?m setting up 802.1x for security reasons with ACS4.1 At this point I have configured a guest-vlan, which has access-lists configured so only access between client <-> PXE server is allowed. So far it is functioning perfectly. When the client boots to Windows, the machine is checked by ACS (Active Directory) en the authentication is passed (passed authentication). Only problem is that the switchport is not set to the normal vlan configured on the switch, but stays in the guest vlan.

How can i accomplish that the port is set to the correct vlan after successful authentication?

I cannot configure ACS to set the vlan to a specific number, because every switch has a separate vlan and the vlan should not spread over different switches.

Thanks in advance!


Re: How to change vlan after successful dot1x authentication (AC

As far as I understand, you are trying to setup 802.1x port-based authentication.

First of all, here is a configuration guide:

Refer to chapter "Configure IEEE 802.1x Port-Based Authentication.

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x timeout reauth-period server

dot1x reauthentication

dot1x guest-vlan 140

dot1x auth-fail vlan 104

Based on this if a user gets successful authenticated, the vlan

assignment is done via radius.

Regarding ACS setup, which authentication methods are you intend to use?

Do you also do machine authentication?

What kind of supplicant (client) are you using (Version/Build/SP)?

For troubleshooting, I need some further information.

New Member

Re: How to change vlan after successful dot1x authentication (AC

Yes, i'm trying to set up 802.1x. The configuration you mention is configured on the switch and the switch is configured (radius IETF) in ACS. Authentication is based on machine authentication.

The configuration works as it should. The only problem is PXE boot for imaging. By adjusting the timers i mangaged to boot the workstation, at PXE boot, the switchport is set to guest-vlan and when Windows boots, the machine is checked and the port is set to normal vlan. Only problem is that the timers are machine specific.

Back to the questions:

which authetication: PEAP

Machine: YES

Supplicant: Standard Windows XP (PEAP) supplicant

Is is possible to keep the PXE boot funtionality with 802.1x and guest-vlan?