Reference Guide
Security | 1313
dot1x guest-vlan
c e s
Configure a guest VLAN for limited access users or for devices that are not 802.1X capable.
Syntax
dot1x guest-vlan vlan-id
To disable the guest VLAN, use the no dot1x guest-vlan vlan-id command.
Parameters
Defaults
Not configured
Command Modes
CONFIGURATION (conf-if-interface-slot/port)
Command
History
Usage
Information
802.1X authentication is enabled when an interface is connected to the switch. If the host fails
to respond within a designated amount of time, the authenticator places the port in the guest
VLAN.
If a device does not respond within 30 seconds, it is assumed that the device is not 802.1X
capable. Therefore, a guest VLAN is allocated to the interface and authentication, for the
device, will occur at the next re-authentication interval (dot1x reauthentication).
If the host fails authentication for the designated amount of times, the authenticator places the
port in authentication failed VLAN (dot1x auth-fail-vlan).
Related
Commands
dot1x mac-auth-bypass
c s
Enable MAC authentication bypass. If 802.1X times out because the host did not respond to
the Identity Request frame, FTOS attempts to authenticate the host based on its MAC address.
vlan-id
Enter the VLAN Identifier.
Range: 1 to 4094
Version 8.3.7.0 Introduced on S4810
Version 7.6.1.0 Introduced on C-Series, E-Series, and S-Series
Note: Layer 3 portion of guest VLAN and authentication fail VLANs can be created
regardless if the VLAN is assigned to an interface or not. Once an interface is
assigned a guest VLAN (which has an IP address), then routing through the guest
VLAN is the same as any other traffic. However, interface may join/leave a VLAN
dynamically.
dot1x auth-fail-vlan Configure a VLAN for authentication failures
dot1x reauthentication Enable periodic re-authentication
show dot1x interface Display the 802.1X information on an interface