Configuring a Guest VLAN

In an 802.1x-based environment, clients that fail the 802.1x port authentication will not be granted access to the network resources. This could be because these clients are not 802.1x capable, such as a printer or Microsoft Windows 98 operating system, or that they did not provide valid credentials, such as forgotten password, visitors, and so on.

In these types of scenarios, it is possible to assign a VLAN as guest VLAN with limited services to the clients. The switch assigns clients to a guest VLAN when the authentication server does not receive a response to its EAP-Request/Identity frame or when the client does not send EAP packets.

Prior to release 12.2(22)EA2, both the 802.1x and non-802.1x-capable clients could join the guest VLAN. This is because the switch did not keep a history of EAPOL packets, therefore granting access to the guest VLAN for all clients that failed to authenticate. In release 12.2(22)EA2, the behavior of the guest VLAN changed so that it keeps a history of the EAPOL packet and denying access to a non-802.1x-based client.

In addition, if an 802.1x-capable client attempts to join a guest VLAN port (multiport) on which non-802.1x clients are configured, the port is put into the unauthorized state, and authentication is restarted. This affects network access for all clients on that 802.1x port.

The dotlx guest-vlan supplicant global configuration command on the switch is used to allow 802.1x clients that fail authentication into the guest VLAN.

0 0

Post a comment