Installation guide
Command Line Interface
4-148
4
have same VLAN configuration, or they are treated as an authentication
failure.
• If dynamic VLAN assignment is enabled on a port and the RADIUS server
returns no VLAN configuration, the authentication is still treated as a success,
and the host assigned to the default untagged VLAN.
• When the dynamic VLAN assignment status is changed on a port, all
authenticated addresses are cleared from the secure MAC address table.
Example
The following example enables dynamic VLAN assignment on port 1.
network-access guest-vlan
Use this command to assign all traffic on a port to a guest VLAN when network
access (MAC authentication) or 802.1x authentication is rejected. Use the no form
of this command to disable guest VLAN assignment.
Syntax
network-access guest-vlan vlan-id
no network-access guest-vlan
vlan-id - VLAN ID (Range: 1-4094)
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
• The VLAN to be used as the guest VLAN must be defined and set as active
(“vlan database” on page 4-245).
• When used with 802.1X authentication, the intrusion-action must be set for
“guest-vlan” to be effective (see “dot1x intrusion-action” on page 4-136).
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access dynamic-vlan
Console(config-if)#
Console(config)#interface ethernet 1/1
Console(config-if)#network-access guest-vlan 25
Console(config-if)#