•
Enter the authentication event no-response action authorize vlan vlan-id interface configuration
command to allow access to the guest VLAN.
•
Enter the shutdown interface configuration command followed by the no shutdown interface
configuration command to restart the port.
If devices send EAPOL packets to the switch during the lifetime of the link, the switch no longer allows clients
that fail authentication access to the guest VLAN.
If an EAPOL packet is detected after the interface has changed to the guest VLAN, the interface reverts
to an unauthorized state, and 802.1x authentication restarts.
Note
Any number of 802.1x-incapable clients are allowed access when the switch port is moved to the guest VLAN.
If an 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into
the unauthorized state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1x ports in single host, multiple host, multi-auth and multi-domain modes.
You can configure any active VLAN except an RSPAN VLAN, a private VLAN, or a voice VLAN as an
802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk
ports; it is supported only on access ports.
The switch supports MAC authentication bypass. When MAC authentication bypass is enabled on an 802.1x
port, the switch can authorize clients based on the client MAC address when IEEE 802.1x authentication times
out while waiting for an EAPOL message exchange. After detecting a client on an 802.1x port, the switch
waits for an Ethernet packet from the client. The switch sends the authentication server a
RADIUS-access/request frame with a username and password based on the MAC address. If authorization
succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port
to the guest VLAN if one is specified.
802.1x Authentication with Restricted VLAN
You can configure a restricted VLAN (also referred to as an authentication failed VLAN) for each IEEE 802.1x
port on a switch stack or a switch to provide limited services to clients that cannot access the guest VLAN.
These clients are 802.1x-compliant and cannot access another VLAN because they fail the authentication
process. A restricted VLAN allows users without valid credentials in an authentication server (typically,
visitors to an enterprise) to access a limited set of services. The administrator can control the services available
to the restricted VLAN.
You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide
the same services to both types of users.
Note
Without this feature, the client attempts and fails authentication indefinitely, and the switch port remains in
the spanning-tree blocking state. With this feature, you can configure the switch port to be in the restricted
VLAN after a specified number of authentication attempts (the default value is 3 attempts).
The authenticator counts the failed authentication attempts for the client. When this count exceeds the configured
maximum number of authentication attempts, the port moves to the restricted VLAN. The failed attempt count
increments when the RADIUS server replies with either an EAP failure or an empty response without an EAP
packet. When the port moves into the restricted VLAN, the failed attempt counter resets.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
284 OL-29048-01
Configuring IEEE 802.1x Port-Based Authentication
802.1x Authentication with Restricted VLAN
To Next Page
Loading...
Need help?
General
Weight and Dimensions
