Cisco WS-C3560V2-24TS-E Command Reference - Page 116
dot1x auth-fail vlan
View all Cisco WS-C3560V2-24TS-E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 116 highlights
dot1x auth-fail vlan Chapter 2 Catalyst 3560 Switch Cisco IOS Commands dot1x auth-fail vlan Use the dot1x auth-fail vlan interface configuration command to enable the restricted VLAN on a port. To return to the default setting, use the no form of this command. dot1x auth-fail vlan vlan-id no dot1x auth-fail vlan vlan-id Syntax Description vlan-id Specify a VLAN in the range of 1 to 4094. Defaults No restricted VLAN is configured. Command Modes Interface configuration Command History Release 12.2(25)SED Modification This command was introduced. Usage Guidelines You can configure a restricted VLAN on ports configured as follows: • single-host (default) mode • auto mode for authorization You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication requests if it is disabled. To start the re-authentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub, the port might never receive a link-down event when that host is disconnected, and, as a result, might not detect any new hosts until the next re-authentication attempt occurs. If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant. Because the supplicant is not notified of the actual authentication failure, there might be confusion about this restricted network access. An EAP success message is sent for these reasons: • If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message. • Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive an EAP success message. A supplicant might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication. Until the supplicant sends the correct username and password combination, the port remains in the restricted VLAN. Internal VLANs used for Layer 3 ports cannot be configured as restricted VLANs. You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN. If you do this, a syslog message is generated. 2-84 Catalyst 3560 Switch Command Reference 78-16405-05