Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


Dot1x question(s), and best practices

Hello All,

I'm toying with the idea of implementing 802.1x on my network along with DHCP snooping and dynamic arp inspection. My reasoning is this: our primary Line of business application sends all of its traffic in clear text across a telnet session. Yes, this is completely ridiculous in this day and age, but that's how they do things. That being said, I want to make my network much more difficult to sniff, and Man-in-the-middle. We already implement port-security on access-ports, but I'd like to take it a step forward and implement 802.1x, dynamic VLAN assignment, etc, but I have a few questions I can't seem to find an answer to yet. I have gotten some basic 802.1x authentication to work with an XP work station, an Ip phone, and a workstation connection through an IP phone, this seems to be working as I expect.

Some background on the network:


* Switching platforms for access ports are 4506s (12.2(25)EWA1) or 3750s (12.2(44)SE2)

* PCs are majority Windows XP SP3.

* Using ACS 4.2 for Authentication

* Mitel (ick!) VoIP is in use on the network (phones are 802.1x aware)

* If I don't change the behavior of Windows XP SP3, it will use machine OR user authentication for 802.1x, how does this work with dynamic vlan assignment? If the machine boots up and authenticates via machine ID, gets assigned to VLAN X, and gets DHCP on VLAN X, what happens if a user that should be on VLAN Y signs into the machine? Does the machine reauthenticate and DHCP on the new VLAN? What determines how the XP machine authenticates?

* I seem to be having an issue with putting a PC into the guest-vlan or into the auth-fail VLAN. I have configured the interface as such:

interface FastEthernet1/0/8

switchport mode access

switchport voice vlan 800

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x violation-mode restrict

dot1x timeout reauth-period 480

dot1x reauthentication

dot1x fallback fallback1

dot1x guest-vlan 701

dot1x auth-fail vlan 701

dot1x auth-fail max-attempts 2

spanning-tree portfast

spanning-tree bpduguard enable


I can get a host (connected via the IP Phone) into VLAN 700 through dynamic VLAN assignment, but what's the threshold for the host to be put into the guest-vlan or auth-fail vlan (701 in this case). If I disable the 802.1x supplicant on my windows XP sp3 machine (Wired auto-config service), it will attempt to authenticate, time out, then try to get DHCP on VLAN 1 (default VLAN for the interface). The switchport stays in VLAN 1. If I re-enable the supplicant and disable the user/pc account in AD (ACS authenticates via AD), the PC says "Authentication Failed" and just sits there, the port is never transitioned into the auth-fail vlan. What am I missing?

* Is it a good/better idea to have all ports in the "Guest" vlan by default?

* Webauth. I can't find much out on Cisco's site about how to configure this or how it works. See the interface config above, along with the following:

ip device tracking

ip http server

ip admission name New1 proxy http

fallback profile fallback1

ip access-group 1 in

ip admission New1

access-list 1 permit any

If I understand this properly, the switch should present the PC with a login page to authenticate to gain access to the network. What does this line mean/how does it work?

ip access-group 1 in

If my machines rely on DHCP, can I still use webauth? They will likely not have an IP or have an automatically assigned IP if they are not authenticated properly.

With the above config, My unauthenticated PC does not get presented with a login page. What am I doing wrong??

* Are there any best practices I should be aware of when implementing 802.1x? Anything anyone would recommend to do or not to do?

Thanks in advance!