Reader Marcus suggested an extension of last week's post on configuring wired 802.1X discussing the use of a guest VLAN. 802.1X includes the capability of defining a guest VLAN in which unauthenticated clients are placed. This can be handy to provide a sort of user-facing demilitarized zone, where guests can connect to the network but only to receive limited services, or to provide temporary restricted access to download software updates.

Configuring a guest VLAN is simple, so long as you understand the concept. We'll continue from the previous example, adding a guest VLAN with access only to the Internet, as depicted here:

This time, however, we'll assume our client is not 802.1X-capable (if continuing from the previous lab, be sure to disable 802.1X authentication under the network connection properties dialog). Configuring a guest VLAN is as simple as defining the VLAN number appropriately under the desired 802.1X interfaces:

Switch(config)# interface g0/12
Switch(config-if)# dot1x guest-vlan 99
Switch(config-if)# do show run int g0/12
Building configuration...

Current configuration : 159 bytes
!
interface GigabitEthernet0/12
 switchport access vlan 10
 switchport mode access
 dot1x port-control auto
 dot1x guest-vlan 99

We can see VLAN 99 specified as the guest VLAN under the interface's 802.1X properties.

Switch# show dot1x int g0/12
Supplicant MAC <Not Applicable>
   AuthSM State      = CONNECTING
   BendSM State      = IDLE
PortStatus        = UNAUTHORIZED
MaxReq            = 2
MaxAuthReq        = 2
HostMode          = Single
PortControl       = Auto
QuietPeriod       = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod      = 3600 Seconds
ServerTimeout     = 30 Seconds
SuppTimeout       = 30 Seconds
TxPeriod          = 30 Seconds
Guest-Vlan        = 99

Now we can connect our client. The switch will prompt for authentication but, receiving no response, will eventually (after roughly 90 seconds) give up and place the client in the guest VLAN.

Switch# show dot1x int g0/12
Supplicant MAC <Not Applicable>
   AuthSM State      = AUTHENTICATED(GUEST_VLAN)
   BendSM State      = IDLE
PortStatus        = AUTHORIZED(GUEST-VLAN)
MaxReq            = 2
MaxAuthReq        = 2
HostMode          = Multi(GUEST VLAN)
PortControl       = Auto
QuietPeriod       = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod      = 3600 Seconds
ServerTimeout     = 30 Seconds
SuppTimeout       = 30 Seconds
TxPeriod          = 30 Seconds
Guest-Vlan        = 99

Switch# show int g0/12 switchport | i Access
Access Mode VLAN: 99 (VLAN0099)

The unauthenticated client can now only send traffic to VLAN 99; it will have to authenticate successfully before it can be placed in its permanent VLAN, VLAN 10.

Note that the guest VLAN is intended to be used for clients which have no ability to authenticate; those clients which fail authentication deserve additional consideration. Prior to IOS 12.2(25)SE, clients which fail authentication are simply placed in the guest VLAN. With the introduction of 12.2(25)SE, clients which fail authentication remain in their assigned VLAN, unable to communicate. This behavior can be reverted to the older style with the command dot1x guest-vlan supplicant under global configuration.

IOS 12.2(25)SED introduced another option: restricted VLANs. A restricted VLAN can be defined in addition to a guest VLAN, to handle clients which attempt and fail authentication. Defining a restricted (or "authentication failure") VLAN is similar to defining a guest VLAN:

Switch(config-if)# dot1x auth-fail vlan <VLAN>