Filter
Top Products
110 Device Security
VLAN and the port is moved to the authorized state, allowing access to the client. However, if the port is
in MAC-based 802.1X authentication mode, it will not move to the authorized state. MAC-based mode
makes it possible for both authenticated and guest clients to use the same port at the same time.
Client devices that are 802.1X-supplicant-enabled authenticate with the switch when they are plugged
into the 802.1X-enabled switch port. The switch verifies the credentials of the client by communicating
with an authentication server. If the credentials are verified, the authentication server informs the switch
to 'unblock' the switch port and allows the client unrestricted access to the network; i.e., the client is a
member of an internal VLAN.
Beginning with software release 2.1, Guest VLAN Supplicant mode is configured on a per-port basis. If a
client does not attempt authentication on a port and the port is configured for Guest VLAN, the client is
assigned to the guest VLAN configured on that port. The port is assigned a Guest VLAN ID and is
moved to the authorized status. Disabling the supplicant mode does not clear the ports that are already
authorized and assigned Guest VLAN IDs.
CLI Examples
The following examples show how to configure the switch to accept RADIUS-assigned VLANs and Guest
VLANs. The examples assume that the RADIUS server and VLAN information has already been
configured on the switch. For information on configuring VLANs, see "Virtual LANs" on page 29.
Example #1: Allow the Switch to Accept RADIUS-Assigned VLANs
The RADIUS server can place a port in a particular VLAN based on the result of the authentication. The
command in this example allows the switch to accept VLAN assignment by the RADIUS server.
NOTE: The feature is available in release 2.1 and later.
console#config
console(config)#aaa authorization network default radius
Example #2: Enable Guest VLANs
This example shows how to set the guest VLAN on interface 1/g20 to VLAN 100. This command
automatically enables the Guest VLAN Supplicant Mode on the interface.
NOTE: Define the VLAN before configuring an interface to use it as the guest VLAN.
console#configure
console(config)#interface ethernet 1/g20
console(config-if-1/g20)#dot1x guest-vlan 100
console(config-if-1/g20)# <CTRL+Z>
console#show dot1x advanced ethernet 1/g20
Port Guest Unauthenticated
VLAN Vlan
--------- --------- ---------------
1/g20 Disabled Disabled