I am looking to implement 802.1x for our wired ports. I have a working solution. The device connects and successfully authenticates. The VLAN is not set by the radius server but is provided by the switch port configuration (Switch access VLAN xx).
Works well so far but our PXE solution doesn't support 802.1x. I was thinking some kind of unauthenticated VLAN that clients enter when 802.1x authentication fails. This VLAN will be very restricted and only have access to the PXE server (via an ACL).
I have researched this but I am getting mixed message and many articles online are quite old.
I was wondering if anyone can advise please?
authentication event fail action authorize vlan vlan-id
you need above command if the 802.1x failed then automatically PXE will get VLAN you enter in command.
Thank you. I will give that a try!
Do you know any show commands to view if a port passes or fails authentication please? It will be useful in troubleshooting. I haven’t actually implemented 802.1x on wired ports before.
I added authentication event fail action authorize vlan 506 - It didn't seem to work. I connect a device (standalone laptop) and it doesn't get an IP address from VLAN 506. Connected a domain laptop to this port authenticates and works well.
I wonder if you can provide any tips please?
The port config is:
switchport access vlan 508
switchport mode access
authentication event fail action authorize vlan 506
authentication port-control auto
dot1x pae authenticator
Can you try adding this line to your interface
authentication event no-response action authorize vlan 506
Make sure you have created the VLAN 506 & and SVI with ip helpers to your DHCP server & scope built.