802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

Hello,
i have tried to configure a dot1x based Authentication.
With an single host including guest-vlan, everything works fine.
But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
i have  just tried so...
interface GigabitEthernet0/4
switchport access vlan 121
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 99
authentication event server dead action authorize vlan 121
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication order dot1x
authentication port-control auto
authentication periodic
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 1
spanning-tree portfast
Thanks, for any possible solution!

unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
What are using for a radius server?

Similar Messages

  • 802.1x Auth-Fail VLAN and Guest-VLan not available

    Hi Pros,
    Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
    I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
    Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
    I found this link on Cisco's site:
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
    That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
    EZVPN_Remote(config-if)#int fa1
    EZVPN_Remote(config-if)#dot
    EZVPN_Remote(config-if)#dot1?
    dot1q
    EZVPN_Remote(config-if)#dot1
    EZVPN_Remote(config-if)#int vlan1
    EZVPN_Remote(config-if)#dot1x ?
      default           Configure Dot1x with default values for this port
      host-mode         Set the Host mode for 802.1x on this interface
      max-reauth-req    Max No.of Reauthentication Attempts
      max-req           Max No.of Retries
      pae               Set 802.1x interface pae type
      port-control      set the port-control value
      reauthentication  Enable or Disable Reauthentication for this port
      timeout           Various Timeouts
    Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
    EZVPN_Remote#sh ver
    Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Tue 12-Jul-11 21:02 by prod_rel_team
    ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
    EZVPN_Remote uptime is 6 hours, 1 minute
    System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
    System restarted at 14:52:47 UTC Thu Oct 13 2011
    System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
    Last reload type: Normal Reload
    Last reload reason: Reload Command
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
    Processor board ID FTX153482GK
    5 FastEthernet interfaces
    1 Virtual Private Network (VPN) Module
    256K bytes of non-volatile configuration memory.
    126000K bytes of ATA CompactFlash (Read/Write)
    License Info:
    License UDI:
    Device#   PID                   SN
    *0        CISCO881-SEC-K9       xxxxxxxx
    License Information for 'c880-data'
        License Level: advipservices   Type: Permanent
        Next reboot license Level: advipservices
    Thanks in advance!

    Shamless bump...

  • Voice Vlan and Native Vlan

    Dear all,
    I am now reading some information regarding the setup of Voip Phone. It mentioned that the Phone is actually a 3-ports switch:
    Port 1: Connect to upstream switch
    Port 2: Transfer Phone traffic
    Port 3: Connect to a PC
    Actually, what should i configure on the upstream switch port? Should it be a trunk port containing both the voice traffic vlan and pc data vlan?
    Or something else?
    Also, there is a term called 'Voice Vlan', is there any different between 'Voice vlan' and ordinary Vlan ?
    Is there any special usage of 'Native' Vlan in implementing Voip?
    Thanks.
    Br,
    aslnet

    Thanks.
    How about if the PC data should be tagged as another vlan (e.g., Vlan 10)? Then I should change the native vlan to vlan 10?
    But from my understanding, Native Vlan should be the same in the whole network, then I need to change the whole network native vlan? If there are different vlans should be assigned to different PCs that behind different VoIP-phone, then how to do it?
    From my guessing, is it i can assign individual native vlan (vlan10) on that port (connect to voip-phone), and then keep the switch's uplink port as original native vlan (vlan1).
    Therefore, PC data traffic would be untagged when entering from voip to the switch, and then tagged as vlan10 when leaving the switch to other uplink switch, right?
    Thanks.

  • About the Native Vlan and Management Vlan.

    I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

    The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
    It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
    Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
    Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
    a
    Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
    Hope this helps !

  • 802.1X un-authenticated user and guest VLAN

    Is there an option for 802.1X wired network to put any un-authenticated user onto the guest VLAN instead of no access? Thanks.

    You can read more about "802.1X authentication failure VLAN" in the release notes for cat 6000 8.4 new features. It may not be in your hardware yet.
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4498.htm

  • Dot1x "authentication event fail action authorize" missing vlan info in show running-config 3750 12.2.55-SE7

    has anyone seen this on their dot1x configurations where the vlan info is missing on the show running-config? see port fast 2/0/3 below. the 3750 POE switch is running 12.2.55-SE7.
    interface FastEthernet2/0/1
     switchport access vlan 18
     switchport mode access
     switchport nonegotiate
     switchport voice vlan 101
     srr-queue bandwidth share 10 10 60 20
     srr-queue bandwidth shape 10 0 0 0
     priority-queue out
     authentication event fail action authorize vlan 34
     authentication event server dead action authorize
     authentication event server dead action authorize voice
     authentication event no-response action authorize vlan 34
     authentication host-mode multi-domain
     authentication order dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     mls qos trust dscp
     auto qos voip trust
     dot1x pae authenticator
     dot1x timeout quiet-period 3
     dot1x timeout tx-period 3
     dot1x timeout supp-timeout 3
     storm-control broadcast level 1.00
     spanning-tree portfast
     spanning-tree bpduguard enable
    interface FastEthernet2/0/2
     switchport access vlan 18
     switchport mode access
     switchport nonegotiate
     switchport voice vlan 101
     srr-queue bandwidth share 10 10 60 20
     srr-queue bandwidth shape 10 0 0 0
     priority-queue out
     authentication event fail action authorize vlan 34
     authentication event server dead action authorize
     authentication event server dead action authorize voice
     authentication event no-response action authorize vlan 34
     authentication host-mode multi-domain
     authentication order dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     mls qos trust dscp
     auto qos voip trust
     dot1x pae authenticator
     dot1x timeout quiet-period 3
     dot1x timeout tx-period 3
     dot1x timeout supp-timeout 3
     storm-control broadcast level 1.00
     spanning-tree portfast
     spanning-tree bpduguard enable
    interface FastEthernet2/0/3
     switchport access vlan 18
     switchport mode access
     switchport nonegotiate
     switchport voice vlan 101
     srr-queue bandwidth share 10 10 60 20
     srr-queue bandwidth shape 10 0 0 0
     priority-queue out
     authentication event fail action authorize
     authentication event server dead action authorize
     authentication event server dead action authorize voice
     authentication event no-response action authorize vlan 34
     authentication host-mode multi-domain
     authentication order dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     mls qos trust dscp
     auto qos voip trust
     dot1x pae authenticator
     dot1x timeout quiet-period 3
     dot1x timeout tx-period 3
     dot1x timeout supp-timeout 3
     storm-control broadcast level 1.00
     spanning-tree portfast
     spanning-tree bpduguard enable
    interface FastEthernet2/0/4
     switchport access vlan 18
     switchport mode access
     switchport nonegotiate
     switchport voice vlan 101
     srr-queue bandwidth share 10 10 60 20
     srr-queue bandwidth shape 10 0 0 0
     priority-queue out
     authentication event fail action authorize
     authentication event server dead action authorize
     authentication event server dead action authorize voice
     authentication event no-response action authorize vlan 34
     authentication host-mode multi-domain
     authentication order dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     mls qos trust dscp
     auto qos voip trust
     dot1x pae authenticator
     dot1x timeout quiet-period 3
     dot1x timeout tx-period 3
     dot1x timeout supp-timeout 3
     storm-control broadcast level 1.00
     spanning-tree portfast
     spanning-tree bpduguard enable
    interface FastEthernet2/0/5
     switchport access vlan 18
     switchport mode access
     switchport nonegotiate
     switchport voice vlan 101
     srr-queue bandwidth share 10 10 60 20
     srr-queue bandwidth shape 10 0 0 0
     priority-queue out
     authentication event fail action authorize
     authentication event server dead action authorize
     authentication event server dead action authorize voice
     authentication event no-response action authorize vlan 34
     authentication host-mode multi-domain
     authentication order dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     mls qos trust dscp
     auto qos voip trust
     dot1x pae authenticator
     dot1x timeout quiet-period 3
     dot1x timeout tx-period 3
     dot1x timeout supp-timeout 3
     storm-control broadcast level 1.00
     spanning-tree portfast
     spanning-tree bpduguard enable
    interface FastEthernet2/0/6
     switchport access vlan 18
     switchport mode access
     switchport nonegotiate
     switchport voice vlan 101
     srr-queue bandwidth share 10 10 60 20
     srr-queue bandwidth shape 10 0 0 0
     priority-queue out
     authentication event fail action authorize vlan 34
     authentication event server dead action authorize
     authentication event server dead action authorize voice
     authentication event no-response action authorize vlan 34
     authentication host-mode multi-domain
     authentication order dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     mls qos trust dscp
     auto qos voip trust
     dot1x pae authenticator
     dot1x timeout quiet-period 3
     dot1x timeout tx-period 3
     dot1x timeout supp-timeout 3
     storm-control broadcast level 1.00
     spanning-tree portfast
     spanning-tree bpduguard enable

    The vlan info isn't missing, you have the option of either specifying which VLAN you want it dropped in to, or you can just say authorize the vlan that is configured with the 'switchport access vlan' command.

  • ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

    We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
    Thank you for any help or ideas,

    When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
    On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

  • Auth VLAN and Access vlan

    When the interface comes up, the CAM puts the user in the AUTH vlan as expected via the set command (vlan 210)
    03:09:09: SNMP: Packet received via UDP from 172.31.200.200 on Vlan220
    03:09:09: SNMP: Set request, reqid 2144479366, errstat 0, erridx 0
    vmVlan.1 = 210
    that works OK
    Fa0/21, Fa0/22, Fa0/23
    210 VLAN0210 active Fa0/1
    211 VLAN0211 active
    So SNMP RW works OK,
    After the user logs in to the network the user should be put back into vlan 220 (according to the port profile settings) but nothig happens, no set command send, no SNMP traffic at all. The user remains in AUTH vlan and the agent loops
    I have tried all the settings, role based, initial VLAN as well, to no avail.
    Any ideas? What to check for?
    Rafal

    Have you double checked your settings for mapping ports with the VG setup guide?
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_addSrvr.html#wp1089247
    Also make sure your OOB port profile is correct and that it switches from auth to access vlan after authentication
    http://www.exio.com/en/US/docs/security/nac/appliance/configuration_guide/411/cam/m_oob.html#wp1083087

  • VLAN trunking, native vlan and management vlan

    Hello all,
    In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
    We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.

    To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
    Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
    When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
    I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
    Regards,
    Leo

  • WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

    Hi
    We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
    Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
    If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
    I can't find any recommandations regarding the use of native vlan/ssid vlan
    Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
    Regards,
    Lars Christian

    It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
    From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • WAP321 and Guest VLAN

    I am struggling to remember how to configure a small biz client of mine who just purchased four of these WAP321 APs. They want to have two SSIDs one being for private LAN access along with internet and one that can only access the internet. With that said I setup the private SSID to be on VLAN 1 (default or basically untagged) and the guest SSID on VLAN2. At this point my problem would lie in the fact that since that since packets on the guest SSID are tagged with VLAN 2 it is not going to receive an IP address from the DHCP server which is actually a Windows server on the private LAN. THis makes sense but I think in other situations I have simply utilized the layer 3 switch and setup a DHCP scope on the switch which leaves us without any need to access an internal DHCP server. Can this be configured on the WAP321 access points...ie provide DHCP services to a specified VLAN...in this case VLAN 2?
    In either event, the switches are managable and have VLAN capabilities but no VLANs have been setup. Each ports sees all packets on any VLAN. What is the best way to set this up? Oh and the firewall/router is a medium end SonicWALL, not sure if that matters.
    Thanks for any assistance in advance.

    Hi [email protected], thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. I apologize for the delay; in this case the server should be able to assign DHCP to Vlan2 once you setup the pool of address. I advise you to check all the devices if there are created the Vlan2, also check if there is any access rule for Vlan2.
    If you assign multiple DHCP servers you can get few issues with the addresses. I advise you try to assign DHCP from one server to avoid any issues.
    I hope you find this answer useful
    “Please rate useful posts so other users can benefit from it”
    Greetings, 
    Johnnatan Rodriguez Miranda.
    Cisco Network Support Engineer.

  • Users VLAN and Management VLAN

    is it possible to separate two VLANs:
    one is running for the users VLAN connects to the clients
    one is for management purpose.
    Is there a sample code available for access points, bridges, and switches?
    I am really appreciated that

    Hi,
    You can configure VLANs on enterprise access points.
    What you need to do is configure the access point with its managment IP address, set this as the native vlan and then add the other VLAN or VLANs.
    Then on the switch that the access point is connected to you need to configure a trunk port and make sure that the native vlan is the same VLAN you set as native on the access point.
    As an example if the Access point has an IP address for managment vlan 20, we set this VLAN as native and then we add the other VLAN or VLANs, and on the switch you configure the port as a trunk port with the same native VLAN 20.
    Note, native vlan is the same as untagged vlan. When we confgure a trunk port this will tag all vlans except the native vlan or untagged vlan that needs to be the same between directly connected devices.

  • What is difference between Default VLAN and Native VLAN?

    Answer

    Cisco switches always have VLAN 1 as the default VLAN, which is needed for many protocol communication between switches like spanning-tree protocol for instance.
    You can't change or even delete the default VLAN, it is mandatory.
    The native VLAN is the only VLAN which is not tagged in a trunk, in other words, native VLAN frames are transmitted unchanged.
    Per default the native VLAN is VLAN 1 but you can change that:
    #show interface Fa0/8 trunk
    Port        Mode             Encapsulation  Status        Native vlan
    Fa0/8       on               802.1q         other         1
    (config-if)#switchport trunk native vlan 2
    (config-if)#do show interface f0/8 trunk
    Port        Mode             Encapsulation  Status        Native vlan
    Fa0/8       on               802.1q         other         2
    The default VLAN is still VLAN 1.
    #show vlan id 1
    VLAN Name Status    Ports
    1    default active    Fa0/8, Gi0/1
    HTH
    Rolf

  • Auth-fail VLAN vs Guest VLAN

    Hi All,
    What criteria is used to determine whether to use the auth-fail VLAN or the guest VLAN?
    What if a non-802.1x client connects to the port, say a Vendor.... 802.1x doesn't occur, so does it then transition to guest vlan?
    What if a vendor brings in an 802.1x capable PC and connects it... the auth fails, but I'd want the vendor to go into the guest VLAN anyway, Could I give them a temporary username / PW maybe to authenticate with? hmmm...
    Thanks in advance.

    Hello,
         The Auth-Fail VLAN is invoked if an Access-Reject is received from the Radius server for the
         user or machine authentication.  The Auth-Fail VLAN will be invoked after a number of failures
         not after the first authentication failure.  This is a configurable value.
         The Guest VLAN is invoked if not EAPoL traffic is received from the connecting client.
         You can set the Auth-Fail VLAN and the Guest VLAN to the same VLAN ID if you want
         users who come in with the supplicant disabled or someone with invalid credentials (or no credentials).
    --Jesse

  • Cat 3750 with Voice VLAN and Dynamic VLANs

    Morning,
    Has anyone had any success with configuring a Catalyst 3750 with a Voice VLAN (Cisco phones) and 802.1x dynamic VLANs?
    Is a RADIUS server able to provide values to change the native vlan?
    Is there a decent tech note knocking about for configuring 'dynamic VLAN assignment through MAC addresses'?
    Thanks,

    Voice VLAN's don't require trunk ports to be configured (unless you are talkling about 2900XL/3500XL switches). Cisco added the ability to trunk a single 802.1q VLAN down an access port in addition to the access vlan - so in 2950 or above the only config you need is:
    interface FastEthernet0/1
    switchport
    switchport mode access
    switchport access vlan 10
    switchport voice vlan 100
    This is effectively the same as:
    interface FastEthernet0/1
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport trunk native vlan 10
    switchport trunk allowed vlan 10,100
    The only difference is the CDP message with the first config will advertise the Voice VLAN capability and the tag.
    With the older 2900XL/3500XL switches you had to configure the interfaces like the second example (plus adding the command switchport voice vlan xx for CDP to inform the IP Phone of the voice vlan).
    QoS is not detailed anywhere here and that obviously plays an important role with voice.
    In your scenario I am not sure ACS can do what you describe as this will require 802.1x supplicants on the client PC's (I may be wrong here and I do remember someone talking about switches being able to do an 802.1x 'proxy' using the MAC address on behalf of non 802.1x capable devices). This seems to me more of a VMPS application.
    Personally I would reconfigure the network each time and charge the occupants a small fee for network setup.....
    HTH
    Andy

Maybe you are looking for