dot1x auth-fail vlan vlan-id
From: slevin kremera (slevin.kremera@gmail.com)
Date: Wed Oct 17 2007 - 08:50:21 ART
Hi experts
i am confused about this
firstly is it supported on bith 3550 and 3560...i think yes
secondly in what kind of situation do i need to use this..
from the doc cd
Configuring a Restricted VLAN
When you configure a restricted VLAN on a switch, clients that are IEEE
802.1x-compliant are moved into the restricted VLAN when the authentication
server does not receive a valid username and password. The switch supports
restricted VLANs only in single-host mode.
Beginning in privileged EXEC mode, follow these steps to configure a
restricted VLAN. This procedure is optional.
Usage Guidelines
You can configure a restricted VLAN on ports configured as follows:
� single-host (default) mode only
� auto mode for authorization
You should enable re-authentication. The ports in restricted VLANs do not
receive re-authentication requests if re-authentication is disabled. To
start the re-authentication process, the restricted VLAN must receive a link
down event or an Extensible Authentication Protocol (EAP) logoff event from
the port. If the host is connected through a hub, the port might never
receive a link down event and might not detect the new host until the next
re-authentication attempt occurs. Therefore, re-authentication should be
enabled.
If the user fails authentication, the port is moved to a restricted VLAN,
and an EAP success message is sent to the user. Because the user is not
notified of the authentication failure, there might be confusion as to why
there is restricted access to the network. An EAP success message is sent
for these reasons:
�If the EAP success message is not sent, the user tries to authenticate
every 60 seconds (the default) by sending an EAP-start message.
�Some hosts (for example, devices running Windows XP) cannot implement DHCP
until they receive an EAP success message.
A user might cache an incorrect username and password combination after
receiving an EAP success message from the authenticator and re-use that
information in every re-authentication. Until the user passes the correct
username and password combination, the port remains in the restricted VLAN.
Internal VLANs that are used for Layer 3 ports cannot be configured as a
restricted VLAN.
You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN.
If you do this, a syslog message is generated.
When a restricted VLAN port is moved to an unauthorized state, the
authentication process is restarted. If the user fails the authentication
process again, the authenticator waits in the held state. After the user has
correctly re-authenticated, all IEEE 802.1x ports are reinitialized and
treated as normal IEEE 802.1x ports.
When you reconfigure a restricted VLAN to a different VLAN, any ports in the
restricted VLAN are also moved and the ports stay in their current
authorized state.
When you shut down or remove a restricted VLAN from the VLAN database, any
ports in the restricted VLAN are immediately moved to an unauthorized state
and the authentication process is restarted. The authenticator does not wait
in a held state because the restricted VLAN configuration still exists.
While the restricted VLAN is inactive, all authentication attempts are
counted. As soon as the restricted VLAN becomes active, the port is placed
in the restricted VLAN.
The restricted VLAN is supported only in single-host mode (the default port
mode).
When a port is placed in a restricted VLAN, the user's MAC address is added
to the MAC address table. If a new MAC address appears on the port, it is
treated as a security violation.
This archive was generated by hypermail 2.1.4
: Fri Nov 16 2007 - 13:11:15 ART