06-30-2015 08:35 AM - edited 03-10-2019 10:51 PM
Hello,
2960S LAN Lite switch with Dot1x and Mab configured successfully authenticates 802.1x clients. However for the non authenticated guest clients, we would like to assign a guest vlan, which requires "dot1x guest vlan x" command under the interface configuration. But this command does not exist although most 802.1x related commands exist.
This documents explains Features supported by ISE for different kinds of Switch models, of which 2960S Lan lite supports 802.1x, but no details are given about the guest vlan feature, which may be necessary for guest clients. How can we solve this problem?
IOS Version is 12.2(55)SE3
http://www.cisco.com/c/en/us/td/docs/security/ise/1-0-4/compatibility/ise104_sdt.html
Minimum OS Version 1 | ||||||||
---|---|---|---|---|---|---|---|---|
IOS v12.2(52)SE LAN Lite2 |
06-30-2015 10:23 AM
Hello Canero,
Lan lite ios is very limited and most people recommend staying away from lan-lite if you have a choice.
Restricted vlans that provide limited access requires lan base.
See link below.
| To use this feature, the switch must be running the LAN Base image. |
| To use authentication with restricted VLANs, the switch must be running the LAN Base image. |
Hope this helps.
Please rate helpful posts.
Thanks.
06-30-2015 11:35 PM
Hi Charles,
The link you provide is very good that explains the features that Lan Lite is not enough, at least Lan Base Feature is needed for: (Though for 2960X, that should be valid with 2960S as well)
Here the mixing part is that Although it is clearly noted that restricted Vlans is only supported with LAN base, for Guest Vlan this is not given, so whether it is forgotten in the documentation or there may be some differences with IOS or Switch Model and versions.
https://globalconfig.net/802-1x-vlans/ guest vlan and restricted vlan is given according to whether EAPOL Frame is received on the port or not.
Today we may test with newer IOS version, would be better if possible to upgrade to Lan Base,
Best Regards,
07-10-2015 01:34 AM
It seems that the interface command "dot1x guest-vlan" has been depreciated long time ago with IOS 12.2(50)SG and later releases:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/54sg/command/reference/cmdref/ch2a_ins.html
"authentication event no-response action authorize vlan "is necessary for using guest vlan for a guest user that fails 802.1x, MAB or Web Authentication. It is not important if only 802.1x, or some combination of these 3 Authentication methods is used under the interface configuration. Guest Vlan is assigned at the end of Authentication as a last resort if all authentications fails or Times Out, which is expected for a guest user that has no configuration beforehand.
Important Points and Prerequisites for Guest Vlan Assignment:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide