HP Cisco Catalyst Blade Switch 3020 Cisco Catalyst Blade Switch 3020 for HP Co - Page 87
dot1x auth-fail vlan
View all HP Cisco Catalyst Blade Switch 3020 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 87 highlights
Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands dot1x auth-fail vlan dot1x auth-fail vlan Use the dot1x auth-fail vlan interface configuration command to enable the restricted VLAN on a port. To return to the default setting, use the no form of this command. dot1x auth-fail vlan vlan-id no dot1x auth-fail vlan Syntax Description vlan-id Specify a VLAN in the range of 1 to 4094. Defaults No restricted VLAN is configured. Command Modes Interface configuration Command History Release 12.2(25)SEF Modification This command was introduced. Usage Guidelines You can configure a restricted VLAN on ports configured as follows: • single-host (default) mode • auto mode for authorization You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication requests if it is disabled. To start the re-authentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub, the port might never receive a link-down event when that host is disconnected, and, as a result, might not detect any new hosts until the next re-authentication attempt occurs. If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant. Because the supplicant is not notified of the actual authentication failure, there might be confusion about this restricted network access. An EAP success message is sent for these reasons: • If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message. • Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive an EAP success message. A supplicant might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication. Until the supplicant sends the correct username and password combination, the port remains in the restricted VLAN. Internal VLANs used for Layer 3 ports cannot be configured as restricted VLANs. You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN. If you do this, a syslog message is generated. OL-8916-01 Cisco Catalyst Blade Switch 3020 for HP Command Reference 2-59