29-22
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication
How to Configure 802.1X
To enable the optional guest VLAN behavior and to configure a guest VLAN, perform this task:
To disable the optional guest VLAN feature on a particular port, use the no dot1x guest-vlan supplicant
global configuration command.
This example shows how enable the optional guest VLAN behavior and to specify VLAN 5 as an 802.1X
guest VLAN:
Switch# configure terminal
Switch(config)# dot1x guest-vlan supplicant
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# dot1x guest-vlan 5
Switch(config-if)# end
Switch#
Configuring 802.1X with Authentication Failed VLAN Assignment
You can configure Authentication Failed VLAN assignment on any Layer 2 port on the Catalyst 4500
series switch to provide limited network services to clients who fail the authentication process. You can
use Authentication Failed VLAN assignment with other security features, such as Dynamic ARP
Inspection (DAI), Dynamic Host Configuration Protocol (DHCP) snooping, and IP source guard. Each
of these features can be enabled and disabled independently on the authentication-failed VLAN.
The port of a client who fails authentication is tagged as an “authentication failed” port and is placed in
the authentication-failed VLAN. The port remains in the authentication failed VLAN until the
reauthentication timer expires.
You can configure the maximum number of authentication attempts that the authenticator sends before
moving a port into the authentication failed VLAN. The default value is 3. However, you may set the
number as low as 1 and as high as 10. The authenticator keeps a count of the failed authentication
attempts for each port. The number of failed authentication attempts is counted from the time of linkup
to the point where the port is moved into the authentication failed VLAN. When the port is moved the
counter is reset.
Note You cannot configure an authentication-failed VLAN and a voice VLAN on the same port. When you
try to configure these two features on the same port, a syslog message is generated.
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch# dot1x guest-vlan supplicant
Enables the optional guest VLAN behavior globally on the switch.
Step 3
Switch(config)# interface
interface-id
Enters interface configuration mode and specifies the interface to be
enabled for 802.1X authentication.
Step 4
Switch(config-if)# dot1x guest-vlan
vlan-id
Specifies an active VLAN as an 802.1X guest VLAN. The range is 1 to
4094.
Step 5
Switch(config)# end
Returns to privileged EXEC mode.
Step 6
Switch(config)# show dot1x
interface
interface-id
Verifies your entries.
Step 7
Switch(config)# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
