Configuring 802.1X With Guest Vlans - Cisco Catalyst 4500 Series Configuration Manual
Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1254 pages)
Table of Contents
Advertisement
Chapter 44
Configuring 802.1X Port-Based Authentication
%PM-4-ERR_DISABLE: security-violation error detected on <interface name>, putting
<interface name> in err-disable state
Configuring 802.1X with Guest VLANs
You can configure a guest VLAN for each 802.1X port on the Catalyst 4500 series switch to provide
limited services to clients, such as downloading the 802.1X client. These clients might be upgrading
their system for 802.1X authentication, and some hosts, such as Windows 98 systems, might not be
802.1X-capable.
When you enable a guest VLAN on an 802.1X port, the Catalyst 4500 series switch assigns clients to a
guest VLAN, provided one of the following apply:
•
•
Beginning with Cisco IOS Release 12.2(25)EWA, the Catalyst 4500 series switch maintains the EAPOL
packet history. If another EAPOL packet is detected on the interface during the lifetime of the link,
network access is denied. The EAPOL history is reset upon loss of the link.
Any number of 802.1X-incapable clients are allowed access when the switch port is moved to the guest
VLAN. If an 802.1X-capable client joins the same port on which the guest VLAN is configured, the port
is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1X ports in single-host or multiple-hosts mode.
When a port is put into a guest VLAN, it is automatically placed into multihost mode, and an unlimited
Note
number of hosts can connect using the port. Changing the multihost configuration does not effect a port
in a guest VLAN.
Except for an RSPAN VLAN or a voice VLAN, you can configure any active VLAN as an 802.1X guest
Note
VLAN.
To configure 802.1X with guest VLAN on a port, perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# interface
interface-id
Step 3
Switch(config-if)# switchport mode
access
or
Switch(config-if)# switchport mode
private-vlan host
Step 4
Switch(config-if)# dot1x pae
authenticator
OL-25340-01
The authentication server does not receive a response to its EAPOL request or identity frame.
The EAPOL packets are not sent by the client.
Purpose
Enters global configuration mode.
Enters interface configuration mode and specifies the interface to be
enabled for 802.1X authentication.
Specifies a nontrunking, nontagged single VLAN Layer 2 interface.
Specifies that the ports with a valid PVLAN trunk association become active
host PVLAN trunk ports.
Enables 802.1X authentication on the port with default parameters.
Refer to the
"Default 802.1X Configuration" section on page
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Configuring 802.1X Port-Based Authentication
44-27.
44-55
- Quick Links:
- Resetting a Switch to Factory Default...
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
