Configuring 802.1X With Authentication Failed - Cisco Catalyst 4500 Series Configuration Manual

Configuring 802.1X Port-Based Authentication
Figure 44-15
After you complete these two tasks and receive authorization, ACS sends the configured VLAN group
to the switch. The switch is alerted to the list of VLANs configured under the VLAN group, and the least
loaded valid VLAN in the group is assigned to the port.

Configuring 802.1X with Authentication Failed

By configuring authentication-failed VLAN alignment on any Layer 2 port on the Catalyst 4500 series
switch, you can provide limited network services to clients that fail the authentication process.
Note You can use authentication-failed VLAN assignment with other security features, such as Dynamic ARP
Inspection (DAI), Dynamic Host Configuration Protocol (DHCP) snooping, and IP Source Guard. Each
of these features can be enabled and disabled independently on the authentication-failed VLAN.
To configure 802.1X with authentication-failed VLAN assignment, perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# interface
interface-id
Step 3
Switch(config-if)# switchport mode
access
Step 4
Switch(config-if)# authentication
port-control auto
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
44-68
VLAN User Distribution on ACS: Multiple VLAN Numbers Configured per User
Purpose
Enters global configuration mode.
Enters interface configuration mode and specifies the interface to be
enabled for 802.1X authentication.
Specifies a nontrunking, nontagged single VLAN Layer 2 interface.
Enables 802.1X authentication on the interface.
Chapter 44 Configuring 802.1X Port-Based Authentication
OL-25340-01