Deployment Guide
dot1x guest-vlan
Congure a guest VLAN for limited access users or for devices that are not 802.1X capable.
Syntax
dot1x guest-vlan vlan-id
To disable the guest VLAN, use the no dot1x guest-vlan vlan-id command.
Parameters
vlan-id Enter the VLAN Identier. The range is from 1 to 4094.
Defaults Not congured.
Command Modes CONFIGURATION (conf-if-interface-slot/port)
Supported Modes Full–Switch
Command History
Version Description
9.9(0.0) Introduced on the FN IOM.
9.2(0.0) Introduced on the MXL 10/40GbE Switch IO Module.
Usage Information
1X authentication is enabled when an interface is connected to the switch. If the host fails to respond within a
designated amount of time, the authenticator places the port in the guest VLAN.
If a device does not respond within 30 seconds, it is assumed that the device is not 802.1X capable. Therefore, a
guest VLAN is allocated to the interface and authentication, for the device, occurs at the next reauthentication
interval (dot1x reauthentication).
If the host fails authentication for the designated number of times, the authenticator places the port in
authentication failed VLAN (dot1x auth-fail-vlan).
NOTE: You can create the Layer 3 portion of a guest VLAN and authentication fail VLANs regardless if
the VLAN is assigned to an interface or not. After an interface is assigned a guest VLAN (which has an
IP address), routing through the guest VLAN is the same as any other trac. However, the interface
may join/leave a VLAN dynamically.
Related Commands
• dot1x auth-fail-vlan — Congures an authentication failure VLAN.
• dot1x reauthentication — Enables periodic re-authentication of the client.
• dot1x reauth-max — Congure the maximum number of times to re-authenticate a port before it becomes
unauthorized.
dot1x host-mode
Enable single-host or multi-host authentication.
Syntax
dot1x host-mode {single-host | multi-host | multi-auth}
Parameters
single-host Enable single-host authentication.
multi-host Enable multi-host authentication.
802.1X 137