dot1x guest-vlan
Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to
the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is
configured, the port is put into the unauthorized state in the RADIUS-configured or user-specified
access VLAN, and authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an Remote Switched Port Analyzer (RSPAN) VLAN or a
voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal
VLANs (routed ports) or trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you
might need to get a host IP address from a DHCP server. You can also change the settings for restarting
the IEEE 802.1x authentication process on the switch before the DHCP process on the client times out
and tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1x
authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface
configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x
client type.
The switch supports MAC authentication bypass in Cisco IOS Release 12.2(25)SEE and later. When
MAC authentication bypass is enabled on an IEEE 802.1x port, the switch can authorize clients based
on the client MAC address when IEEE 802.1x authentication times out while waiting for an EAPOL
message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet
packet from the client. The switch sends the authentication server a RADIUS-access/request frame with
a username and password based on the MAC address. If authorization succeeds, the switch grants the
client access to the network. If authorization fails, the switch assigns the port to the guest VLAN, if one
is specified. For more information, see the "Using IEEE 802.1x Authentication with MAC
Authentication Bypass" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of
the software configuration guide.
Examples
This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN:
Switch(config-if)# dot1x guest-vlan 5
This example shows how to enable the optional guest VLAN behavior and to specify VLAN 5 as an
IEEE 802.1x guest VLAN:
Switch(config)# dot1x guest-vlan supplicant
Switch(config)# interface FastEthernet0/1
Switch(config-if)# dot1x guest-vlan 5
You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC
command.
Related Commands
Command
dot1x
show dot1x
Catalyst 3550 Multilayer Switch Command Reference
2-92
[interface interface-id]
Chapter 2
Description
Enables the optional guest VLAN supplicant feature.
Displays IEEE 802.1x status for the specified interface.
Catalyst 3550 Switch Cisco IOS Commands
OL-8566-02