Cisco catalyst 3750 Command Reference Manual page 174

Chapter 2 Catalyst 3750 Switch Cisco IOS Commands
dot1x guest-vlan
However, in Cisco IOS Release 12.2(25)SEE, the dot1x guest-vlan supplicant global configuration
command is no longer supported. You can use a restricted VLAN to allow clients that failed
authentication access to the network by entering the dot1x auth-fail vlan vlan-id interface configuration
command.
Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to
the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is
configured, the port is put into the unauthorized state in the RADIUS-configured or user-configured
access VLAN, and authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an Remote Switched Port Analyzer (RSPAN) VLAN, a
primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is
not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you
might need to get a host IP address from a DHCP server. You can change the settings for restarting the
IEEE 802.1x authentication process on the switch before the DHCP process on the client times out and
tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1x
authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface
configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x
client type.
The switch supports MAC authentication bypass in Cisco IOS Release 12.2(25)SEE and later. When it
is enabled on an IEEE 802.1x port, the switch can authorize clients based on the client MAC address
when IEEE 802.1x authentication times out while waiting for an EAPOL message exchange. After
detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The
switch sends the authentication server a RADIUS-access/request frame with a username and password
based on the MAC address. If authorization succeeds, the switch grants the client access to the network.
If authorization fails, the switch assigns the port to the guest VLAN if one is specified. For more
information, see the "Using IEEE 802.1x Authentication with MAC Authentication Bypass" section in
the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide.
Examples This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN:
Switch(config-if)# dot1x guest-vlan 5
This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that
the switch waits for a response to an EAP-request/identity frame from the client before resending the
request, and to enable VLAN 2 as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected
to a DHCP client:
Switch(config-if)# dot1x timeout quiet-period 3
Switch(config-if)# dot1x timeout tx-period 15
Switch(config-if)# dot1x guest-vlan 2
This example shows how to enable the optional guest VLAN behavior and to specify VLAN 5 as an
IEEE 802.1x guest VLAN:
Switch(config)# dot1x guest-vlan supplicant
Switch(config)# interface gigabitethernet2/0/1
Switch(config-if)# dot1x guest-vlan 5
You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC
command.
Catalyst 3750 Switch Command Reference
2-144
OL-8552-07