Authentication Commands
4-125
4
• The VLAN settings specified by the first authenticated MAC address are
implemented for a port. Other authenticated MAC addresses on the port must
have same VLAN configuration, or they are treated as authentication failure.
• If dynamic VLAN assignment is enabled on a port and the RADIUS server
returns no VLAN configuration, the authentication is still treated as a success.
• When the dynamic VLAN assignment status is changed on a port, all
authenticated addresses are cleared from the secure MAC address table.
Example
The following example enables dynamic VLAN assignment on port 1.
network-access guest-vlan
Use this command to assign all traffic on a port to a guest VLAN when network
access (MAC authentication) or 802.1x authentication is rejected. Use the no form
of this command to disable guest VLAN assignment.
Syntax
network-access guest-vlan vlan-id
no network-access guest-vlan
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
• The VLAN to be used as the guest VLAN must be defined and set as active
(“vlan database” on page 4-242).
• When used with 802.1x authentication, the intrusion-action configuration
must be set for ‘guest-vlan’ to be effective (“dot1x intrusion-action” on
page 4-118).
Example
network-access link-detection
Use this command to enable the link detection feature. Use the no form of this
command to restore the default.
Syntax
[no] network-access link-detection
Console(config)#interface ethernet 1/1
Console(config-if)#network-access dynamic-vlan
Console(config-if)#
Console(config)#interface ethernet 1/1
Console(config-if)#network-access guest-vlan 25
Console(config-if)#