Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Question about dot1x & Web Authentication

I'm not sure if what I want to do is possible so hopefully someone can set me straight.

Right now when a user doesn't have a 802.1x capable machine, they are assigned to the guest VLAN. Then using the dot1x fallback command we could force them to use authenticate using the web if we so choose. At least this is how I understand web-auth to work. Please correct me if I'm wrong.

But what about when someone is using an 802.1x capable machine but fails auth? Like say a user logging in locally on a domain machine or a vendor using his companies laptop. Currently those ports go into an unauthorized state and are not active. If I use the dot1x auth-fail-vlan command, it authorizes the ports for that vlan just fine.

What I'd like to do in those cases is to put them in a restricted vlan and then force them to use web authentication to gain access to the network.

Is that possible? I can't seem to find a way to use web authentication after a failed dot1x auth. Or is that it, a failure is a failure and there is no way to try and reauthenticate a different way?

New Member

Re: Question about dot1x & Web Authentication


dot1x authentication and mac-authentication bypass are layer 2 authentication mechanism and webauth is a layer 3 authentication mechanism.

u can set multiple authentication profiles and set the priority as well.

like u can have dot1x authentication first and second webauth and third as mac-authentication bypass.

remember the other authentication mechanism will only come into place if the first authentication is not possible that is the client is not having a suplicant for dot1x.

if a user doesn;t have dot1x supplicant and u have configured guest vlan then the user will be put into the guest vlan otherwise the user will be in the access vlan in which the port is configured.

if u have configured auth-fail vlan and the user gives wrong credentials the user will be put into the auth-fail vlan.

if a user is a dot1x client and dot1x is configured then the user must pass the dot1x authentication .

the fallback mechanism is only when the dot1x authentication cannot be executed because the client is not having dot21x supplicant. then the next mode of authentication will be triggered that is either webauth or MAB.

if a user fails the dot1x authentication dues to wrong credentials then he cannot be prompted for a another authentication mechanism. this is to avoid security breaches.

hope this helps.



CreatePlease login to create content