Manualshelf

Reference Guide

ManualsBrandsDell ManualsserversDell Force10 S55T
919293949596979899100
802.1X | 95
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this
behavior is not appropriate. External users of an enterprise network, for example, might not be able to be
authenticated, but still need access to the network. Also, some dumb-terminals such as network printers do
not have 802.1X capability and therefore cannot authenticate themselves. To be able to connect such
devices, they must be allowed access the network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices,
and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users.
If the supplicant fails authentication a specified number of times, the authenticator places the port in
the Authentication-fail VLAN.
If a port is already forwarding on the Guest VLAN when 802.1X is enabled, then the port is moved out
of the Guest VLAN, and the authentication process begins.
Configuring a Guest VLAN
If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, see
Configuring Timeouts on page 92) the system assumes that the host does not have 802.1X capability, and
and the port is placed in the Guest VLAN.
Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using
the command
dot1x guest-vlan from INTERFACE mode, as shown in Figure 6-12.
Figure 6-12. Configuring a Guest VLAN
View your configuration using the command show config from INTERFACE mode, as shown in
Figure 6-12, or using the command
show dot1x interface command from EXEC Privilege mode as shown
in Figure 6-14.
Configuring an Authentication-fail VLAN
If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount
of time (30 seconds by default, see Configuring a Quiet Period after a Failed Authentication on page 88).
You can configure the maximum number of times the authenticator re-attempts authentication after a
failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Configure a port to be placed in the VLAN after failing the authentication process as specified number of
times using the command
dot1x auth-fail-vlan from INTERFACE mode, as shown in Figure 6-13.
Configure the maximum number of authentication attempts by the authenticator using the keyword
max-attempts with this command.
FTOS(conf-if-gi-1/2)#dot1x guest-vlan 200
FTOS(conf-if-gi-1/2)#show config
!
interface GigabitEthernet 1/2
switchport
dot1x guest-vlan 200
no shutdown
FTOS(conf-if-gi-1/2)#