I tried the dot1x guest-vlan supplicant but looks like my IOS is older. I'll check out a newer version. I did do the dot1x guest-vlan command on the port. If the client has 802.1x turned off, it works. But if it's on but can't authenticate (like a real world vendor connecting might have it on), the port just sits in an unauthenticated mode.

I figured I would learn 802.1x with NAC for switches almost here but everytime I get a problem solved, I test another scenario and more problems arise. Since we have a lot of Windows 2000 still, many Vlans (mainly location and application specific), vendors needing to plug in (main drive to get this working), and a lot of medical equipment that doesn't support 802.1x, this isn't looking too good. I checked into the MeetingHouse client but it is very pricey for just being an agent. Next test is a domain PC but logging in locally. Can't wait to see what that does.

Hi

We have 12.2(25)SEC in our IOS switch(3750). It is stable with dot1x authentication(PEAP, dynamic vlan,guest vlan, user/machine auth). But the feature you want, let's call it auth-fail-vlan, does not work in current version, although it should work according to Cisco document.

Today, I found the "802.1x restricted VLAN" feature in Cisco newly released 12.2(25)SED IOS. There is a command "dot1x auth-fail vlan" like CatOS. I would find time to test.

Suggestions for your reference:

1. For dot1x, 95% is supplicant problem. Try to search support.microsoft.com with 802.1x or supplicant key word. You will find some good hints and hotfixes that make the supplicant stable.

2. For employees in your company, add the registry key below(have a test before deployment).

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

"SupplicantMode"=dword:00000003

"AuthMode"=dword:00000001

Those are for both user and machine authentication.

Export it after a successful test for deployment convenient.

3. For medical equipment, if it is not "mobile", "force-authorize" it with a description.

4. For vendors or visitor, just put them in guest vlan. For those which have dot1x configured in their laptops, the swith must support "auth-fail-vlan".

Let me guess the result of your next test:the PC will be in unauthorized state.

Before GINA, the PC will be authorized in its VLAN if you have machine auth.(use show dot1x int to see)

Since you log in locally, PC will be authenticated again and be put in unauthorized state.

HTH

Karl

hsiehcl@tw.ibm.com

I found the dot1x auth-fail vlan feature while going through release notes. I was on 12.2(20)SE and upgraded to 12.2(25)SED and this fixes the problem I originally posted about. It takes awhile though to go into that Vlan but finally did after canceling the authenication windows enough times in Win2K. I probably need to mess with the timeouts and AuthFail-Max-Attempts.

Regarding your dynamic vlan setup, are you referring to assigning vlan's through ACS? I'm still trying to get this to work properly with Windows 2000. I have another post about it but basically if I assign a vlan during machine auth, it works. If then the user is assigned to a different vlan, Win2K won't pick up a new IP (I understand XP SP2 will though). If I don't assign a vlan for the user, then the port goes back to the vlan configured in nvram and doesn't stay in the vlan assigned to the PC.

Thanks for your input.