Guest VLAN on 802.1x on CBS220-48T-4G

mbender · ‎07-25-2022

I'm trying to set up dot1x on our new Cisco switch. In general a basic setup with RAIUD authentication works fine so a big success on that front (tho I'm still in a generic testing phase).

However I wanted to make use of the guest VLAN option to permit dev machines limited access, and here I've got some issues.

a) I've set up a Guest VLAN of 10, and I've tested if DHCP on this VLAN works as expected by manually assigning a port to use PVID10 and connected my laptop to that port. As expected, I got a different IP range than normal.
b) I've reverted the port from a) back to normal (PVID1) and enabled dot1x on that port, with guest VLAN, and forced unauthorized for testing. It appears I'm not getting any traffic on this port now and I'm never getting a DHCP response.

PS. Note I'm using the Multiple Sessions setting for the ports. Essentially developers (who will be authenticated) will often have dev machines running inside HyperV. Ideally I want those dev machines to automatically pick up and run in the guest VLAN. Obviously any unauthorized client should be running in that VLAN as well.

What could be the issue?

Jitendra Kumar · ‎07-25-2022

guest/auth VLANs couldn't work as the switch doesn't have a way to put 2 machines on 2 different VLANs that were -not- a trunk port.

Thanks,
Jitendra

mbender · ‎07-25-2022

The port I was testing this out on is set up as a trunk port.

Also (I've added this to the original question) I'm using Multiple Sessions setting for the ports. I don't think this should matter for this particular case, but you never know, so I'm bringing it up.

PS. Also, why does the "Authenticated Host Table" show the authenticated devices using the guest VLAN? If they're authenticated shouldn't they be using the default VLAN?