cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2113
Views
3
Helpful
3
Replies

Does 2960S Lan Lite Guest Vlan Supported? dot1x guest-vlan command does not exit

canero
Level 1
Level 1

Hello,

2960S LAN Lite switch with Dot1x and Mab configured successfully authenticates 802.1x clients. However for the non authenticated guest clients, we would like to assign a guest vlan, which requires "dot1x guest vlan x" command under the interface configuration. But this command does not exist although most 802.1x related commands exist.

 

This documents explains Features supported by ISE for different kinds of Switch models, of which 2960S Lan lite supports 802.1x, but no details are given about the guest vlan feature, which may be necessary for guest clients. How can we solve this problem?

 

IOS Version is 12.2(55)SE3

 

 

http://www.cisco.com/c/en/us/td/docs/security/ise/1-0-4/compatibility/ise104_sdt.html 

Table 1 Supported Network Access Devices

Device
Minimum OS Version 1
MAB
802.1X
Web Auth
Session CoA
VLAN
DACL
SGA
Access Switches

Catalyst 2940

IOS v12.1(22)EA1

Yes

Yes

No

No

Yes

No

No

Catalyst 2950

IOS v12.1(22)EA1

No

Yes

No

No

Yes

No

No

Catalyst 2955

IOS v12.1(22)EA1

No

Yes

No

No

Yes

No

No

Catalyst 2960, Catalyst 2960S, ISR EtherSwitch ES2

IOS v12.2(52)SE LAN Base

Yes

Yes

Yes

Yes

Yes

Yes

No

Catalyst 2960, Catalyst 2960S

IOS v12.2(52)SE LAN Lite2

Yes

Yes

No

No

Yes

No

No

 

1.For 802.1X authentications, you need IOS version 12.2(55)SE3.

2.Does not support posture and profiling services.

 

 

3 Replies 3

Charles Hill
VIP Alumni
VIP Alumni

Hello Canero,

Lan lite ios is very limited and most people recommend staying away from lan-lite if you have a choice.

Restricted vlans that provide limited access requires lan base.

 

See link below.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010.html

  • Support for VLAN assignment on a port configured for multi-auth mode. The RADIUS server assigns a VLAN to the first host to authenticate on the port, and subsequent hosts use the same VLAN. Voice VLAN assignment is supported for one IP phone.


Note


To use this feature, the switch must be running the LAN Base image.

  • Guest VLAN to provide limited services to non-802.1x-compliant users.
  • Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not have the credentials to authenticate via the standard 802.1x processes.


Note


To use authentication with restricted VLANs, the switch must be running the LAN Base image.

Hope this helps.

Please rate helpful posts.

Thanks.

 

Hi Charles,

The link you provide is very good that explains the features that Lan Lite is not enough, at least Lan Base Feature is needed for: (Though for 2960X, that should be valid with 2960S as well)

 

  • Web Authentication
  • MDA (Multi Domain Authentication)
  • Restricted Vlans (Vlan assignment for 802.1x configured clients that fails (get rejected by ISE) authentication
  • MAB (Mab Authentication Bypass)
  • NAC for Posture analysis such as AV, Update Checks

 

Here the mixing part is that Although it is clearly noted that restricted Vlans is only supported with LAN base, for Guest Vlan this is not given, so whether it is forgotten in the documentation or there may be some differences with IOS or Switch Model and versions.

https://globalconfig.net/802-1x-vlans/  guest vlan and restricted vlan is given according to whether EAPOL Frame is received on the port or not.

Today we may test with newer IOS version, would be better if possible to upgrade to Lan Base, 

Best Regards,

canero
Level 1
Level 1

It seems that the interface command "dot1x guest-vlan" has been depreciated long time ago with IOS 12.2(50)SG and later releases:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/54sg/command/reference/cmdref/ch2a_ins.html 

"authentication event no-response action authorize vlan "is necessary for using guest vlan for a guest user that fails 802.1x, MAB or Web Authentication. It is not important if only 802.1x, or some combination of these 3 Authentication methods is used under the interface configuration. Guest Vlan is assigned at the end of Authentication as a last resort if all authentications  fails or Times Out, which is expected for a guest user that has no configuration beforehand.

Important Points and Prerequisites for Guest Vlan Assignment:

  1. Globally Enable Guest Vlan with dot1x guest-vlan supplicant  command: This is explained in the following blog: http://www.danpol.net/index.php/cisco/switches/8021x-single-host-mode-guest-and-restrictive-vlan/ 
  2. MultiAuth should not be enabled under interface (For a description of Multiauth inorder to understand if needed -->  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-802x-multi-auth.html  )
  3. Under Interface command "authentication event no-response action authorize vlan X "  and authentication event fail action next-method" should exist. ( http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html )

 

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: