802.1X Guest-VLAN

802.1X Guest-VLAN

If you alpha to arrange 802.1X in a network, leveraging Guest-VLAN functionality is a key

element in accouterment arrangement admission to audience who are not able with an 802.1X

supplicant. The 802.1X Guest-VLAN functionality was initially developed as a migration

tool to acquiesce enterprises to calmly drift applicant accessories to abutment 802.1X while still

providing arrangement connectivity.

Any VLAN can be configured as the Guest-VLAN, except clandestine VLANs (PVLANs),

voice VLANs (VVID), and the VLAN acclimated for Remote SPAN (RSPAN). Most Cisco

Catalyst platforms currently abutment the Guest-VLAN feature. Figure 17-6 demonstrates

the functionality of the 802.1X Guest-VLAN feature.

Currently, back a about-face anchorage initially receives a link, an EAP-Identity-Request bulletin is

sent to actively attending for an 802.1X supplicant. This happens behindhand of whether the

device affiliated to the anchorage is absolutely able with the supplicant.

Working with Accessories Incapable of 802.1X 291

Figure 17-6 802.1X Guest-VLAN Operation

802.1X Guest-VLAN Timing

Assuming that a user does not accept the 802.1X adequacy on her machine, the appeal from

the about-face goes unanswered. Afterwards the cessation of a timer (tx-period), the about-face sends

a new EAP-Identity-Request frame. The 802.1X blueprint dictates this behavior. This

process continues until the third appeal from the about-face goes unanswered. The cardinal of

retries is apprenticed by the amount of the max-reauth-req parameter. Afterwards the maximum

number of retries is exceeded, and if the about-face anchorage has been configured with the 802.1X

Guest-VLAN functionality, the anchorage is confused to the Guest-VLAN, and the about-face sends an

EAP-Success message. The applicant ignores and discards this bulletin if not enabled for

802.1X.

From the point of appearance of the 802.1X process, the anchorage has become authorized, and the

802.1X accompaniment apparatus has entered the accurate state; no added aegis or

authentication mechanisms are applied. (The 802.1X accompaniment apparatus stops running.) It is

basically as if the ambassador disabled 802.1X and hardset the anchorage into that specific

VLAN. The behavior illustrated is accurate back application absence ethics for the 802.1X

parameters that affect Guest-VLAN functionality: max-reauth-req and tx-period.

The max-reauth-req constant sets the best cardinal of times that the switch

retransmits an EAP-Identity-Request anatomy on the wire afore accepting a acknowledgment from

the affiliated client. By default, this amount is set to 2. This is why Figure 17-6 shows two

EAPOL-Request (Identity)

D = 01.80.c2.00.00.03

EAPOL-Request (Identity)

D = 01.80.c2.00.00.03

EAPOL-Request (Identity)

D = 01.80.c2.00.00.03

Upon Articulation Up

30 Seconds

30 Seconds

30 Seconds

EAP-Success

D = 01.80.c2.00.00.03

00.0a.05.71.de.08

Client Dol1x Process

1

2

3

4

292 Chapter 17: Identity-Based Networking Casework with 802.1X

retries (Steps 2 and 3) afterwards the antecedent EAP-Identity-Request anatomy beatific at linkup. Here are

the commands that change this parameter:

Switch(config-if)#dot1x max-reauth-req ?

<1-10> Enter a amount amid 1 and 10

The tx-period constant sets the cardinal of abnormal that the about-face waits for a response

to an EAP-Identity-Request anatomy from the applicant afore resending the request. The default

value is 30 seconds; it is configurable as follows:

Switch(config-if)#dot1x abeyance tx-period ?

<1-65535> Enter amount amid 1 and 65535

NOTE The max-req constant is allotment of the configurable 802.1X constant in Cisco IOS. The

max-req constant is altered from the max-reauth-req constant and represents the

maximum cardinal of retries a about-face performs for EAP-Request frames of types added than

EAP-Identity-Request. Basically, this constant refers to EAP-Data frames, which are the

EAP frames exchanged afterwards the supplicant has replied to the antecedent EAP-Identity-Request

frame. For this reason, the max-req constant is alone able back a accurate 802.1X

supplicant is connected, and it does not administer to Guest-VLAN services.

The all-embracing absence agreement of the 802.1X Guest-VLAN is almost simple, and it is

demonstrated as follows:

interface FastEthernet0/1

switchport admission vlan 2

switchport approach access

dot1x port-control auto

dot1x guest-vlan 10

The afterward blueprint calculates the time breach afore the Guest-VLAN is enabled:

[(max-reauth-req + 1) * tx-period]

The time to accredit a anchorage in the Guest-VLAN can be tweaked to 2 seconds:

interface FastEthernet0/1

switchport admission vlan 2

switchport approach access

dot1x port-control auto

dot1x guest-vlan 10

dot1x abeyance tx-period 1

dot1x max-reauth-req 1

Only attack this agreement afterwards you accede the after-effects that this can accept on

the approved functionality of 802.1X. For example, if you configure the Guest-VLAN to be

a altered VLAN than the admission VLAN, a anchorage ability advanced into the Guest-VLAN too

quickly; if attention the end host is paramount, this operation ability not be desired. Also,

from a aegis perspective, 802.1X is the dialup networking model. The absence timers tend

to chase atomic admission attempt in agreement of aegis to accommodate admission alone back a

Working with Accessories Incapable of 802.1X 293

supplicant dials on the connection. Also, allegory the affiliation issues amid 802.1X

and DHCP at startup time helps in compassionate this. In the end, it is accessible to set the txperiod

and max-reauth-req ambit to the minimum configurable ethics to abate the

time breach appropriate for the deployment of a about-face anchorage in the Guest-V