Step
4.
Enable periodic online user
re-authentication.
Configuring an 802.1X guest VLAN
Configuration guidelines
Follow these guidelines when you configure an 802.1X guest VLAN:
You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different
•
ports can be different.
•
Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port, so
the port can correctly process incoming VLAN tagged traffic.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member.
•
After the assignment, do not re-configure the port as a tagged member in the VLAN.
When the port moves between VLANs (for example, leaves the original PVID and joins the guest
•
VLAN), ask 802.1X users to manually update their IP address so that they can access specific
resources.
•
Use
Table 6
Table 6 Relationships of the 802.1X guest VLAN and other security features
Feature
802.1X Auth-Fail VLAN on a port
that performs MAC-based access
control
Port intrusion protection on a port
that performs MAC-based access
control
Configuration prerequisites
Create the VLAN to be specified as the 802.1X guest VLAN.
•
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger
•
(dot1x multicast-trigger).
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
•
enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an
untagged member. For more information about the MAC-based VLAN function, see Layer 2
Switching Configuration Guide.
Configuration procedure
To configure an 802.1X guest VLAN:
Command
dot1x re-authenticate
when configuring multiple security features on a port.
Relationship description
The 802.1X Auth-Fail VLAN has a higher
priority
The 802.1X guest VLAN function has
higher priority than the block MAC action
but lower priority than the shut down port
action of the port intrusion protection
feature.
87
Remarks
By default, the function is disabled.
Reference
See
"Using 802.1X
authentication with other
features"
See
"Configuring port
security"
LAN
—