Auth-fail VLAN vs Guest VLAN

Hi All,
What criteria is used to determine whether to use the auth-fail VLAN or the guest VLAN?
What if a non-802.1x client connects to the port, say a Vendor.... 802.1x doesn't occur, so does it then transition to guest vlan?
What if a vendor brings in an 802.1x capable PC and connects it... the auth fails, but I'd want the vendor to go into the guest VLAN anyway, Could I give them a temporary username / PW maybe to authenticate with? hmmm...
Thanks in advance.

Hello,
     The Auth-Fail VLAN is invoked if an Access-Reject is received from the Radius server for the
     user or machine authentication.  The Auth-Fail VLAN will be invoked after a number of failures
     not after the first authentication failure.  This is a configurable value.
     The Guest VLAN is invoked if not EAPoL traffic is received from the connecting client.
     You can set the Auth-Fail VLAN and the Guest VLAN to the same VLAN ID if you want
     users who come in with the supplicant disabled or someone with invalid credentials (or no credentials).
--Jesse

Similar Messages

  • 802.1x Auth-Fail VLAN and Guest-VLan not available

    Hi Pros,
    Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
    I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
    Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
    I found this link on Cisco's site:
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
    That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
    EZVPN_Remote(config-if)#int fa1
    EZVPN_Remote(config-if)#dot
    EZVPN_Remote(config-if)#dot1?
    dot1q
    EZVPN_Remote(config-if)#dot1
    EZVPN_Remote(config-if)#int vlan1
    EZVPN_Remote(config-if)#dot1x ?
      default           Configure Dot1x with default values for this port
      host-mode         Set the Host mode for 802.1x on this interface
      max-reauth-req    Max No.of Reauthentication Attempts
      max-req           Max No.of Retries
      pae               Set 802.1x interface pae type
      port-control      set the port-control value
      reauthentication  Enable or Disable Reauthentication for this port
      timeout           Various Timeouts
    Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
    EZVPN_Remote#sh ver
    Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Tue 12-Jul-11 21:02 by prod_rel_team
    ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
    EZVPN_Remote uptime is 6 hours, 1 minute
    System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
    System restarted at 14:52:47 UTC Thu Oct 13 2011
    System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
    Last reload type: Normal Reload
    Last reload reason: Reload Command
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
    Processor board ID FTX153482GK
    5 FastEthernet interfaces
    1 Virtual Private Network (VPN) Module
    256K bytes of non-volatile configuration memory.
    126000K bytes of ATA CompactFlash (Read/Write)
    License Info:
    License UDI:
    Device#   PID                   SN
    *0        CISCO881-SEC-K9       xxxxxxxx
    License Information for 'c880-data'
        License Level: advipservices   Type: Permanent
        Next reboot license Level: advipservices
    Thanks in advance!

    Shamless bump...

  • 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

    Hello,
    i have tried to configure a dot1x based Authentication.
    With an single host including guest-vlan, everything works fine.
    But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
    Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
    i have  just tried so...
    interface GigabitEthernet0/4
    switchport access vlan 121
    switchport mode access
    switchport voice vlan 200
    authentication event fail action authorize vlan 99
    authentication event server dead action authorize vlan 121
    authentication event server alive action reinitialize
    authentication host-mode multi-host
    authentication order dot1x
    authentication port-control auto
    authentication periodic
    authentication violation restrict
    dot1x pae authenticator
    dot1x timeout quiet-period 10
    dot1x timeout tx-period 1
    spanning-tree portfast
    Thanks, for any possible solution!

    unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
    I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
    Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
    What are using for a radius server?

  • Wired guest vlan with ISE

    Hi all,
    For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable?
    Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user.
    Thanks
    Sent from Cisco Technical Support iPad App

    I will try to answer all of your quesitons:
    1.     "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"
              - I suppose the standard is to have the port in the regular/standard VLAN and only put failed           authentications in the guest VLAN. However, with that being said, it really depends on what you are           trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor           deployed it that way so I highly recommend you try that in the lab
    2.     "I wanted to know if the change of vlan for corporate users with NAM is reliable?"
              - Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc,           might not know that a VLAN was changed, thus never request a new IP address. As a result, they get           stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed           authentications through the guest portal. There you can control who is guest and who is not via dACLs.
    3.     " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things           like PXE booting that needs to happen"
              - So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface           usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you           want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the           one granted in the Low-Impact mode ACL otherwise things will break

  • Auth-fail vlan won't support re-authentication

    We're using ACS 1113 Appliance with ACS version 4.1.4.13. via the RADIUS attributes, clients are re-authenticated every 16 hours. The machine cache is set to 12 hours. This means that, if the user doesn't log off within 16 hours, he will be denied network access because of Machine Access Restriction (which is normal).
    The problem is, at this point, the SSC client keeps trying and trying to authenticate. It never stops trying until the user logs off or reboots (sometimes this can takes days to weeks (f.e. on vacation). This results in a log entry, every 4 seconds (because of timeout tx-period settings), for every user that is in the MAR. Now you can imagine that, in an environment with 4000 users that the loggings become unusable because of the enormous amount of (unnecessary) failed attempts logs.
    I've tried the following dot1x attributes on the switchport but they don't seem to work:
    dot1x max-req 3
    dot1x max-reauth-req 3
    I was hoping they would stop the authentication attempts after 3 unsuccesfull tries, but it doesn't help.
    Then I thought I found a solution: the auth-fail vlan. Then we have only 3 logs before the port falls into auth-fail, which is much better.
    But, once he is into the auth-fail vlan, he never gets out! I tought that, if the user logs off, the network connection is closed, so at that point the machine authentication would be triggered. But he just stays in the auth-fail vlan until rebooted or the cable is removed. Isn't there any way to trigger the authentication when the user is logged off?

    Check if the "Default connection timeout" and "Default Association Timeout" values are configured properly in the client policy. Also check for the "max start" value in the connection settings for 802.1x. http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1/administration/guide/C2_SetupSSC.html#wp1056892

  • 802.1x Auth-Fail VLAN --- XP does not recognize

    With Auth-Fail VLAN configured on Cisco 3550 the Switch successfully configures the port to the configured auth-fail vlan upon unsuccessful authentication. The PC even gets the IP address from DHCP.
    However, the Windows XP network icon on the task bar continues to display as if it is trying to configure the network. The popup text displays "Attempting to authenticate" whereas the PC is fully connected and able to communicate on the network.
    Any idea...????

    I am performing machine authentication against MS AD. It does get an ip address from the authentication VLAN but not before minor delay...(have seen up to a minutes delay in some cases).
    The following is working fine in my case:
    Machine Authenticaiton (S) ---> User Auth (S) then all is good.
    Machine Auth (S) ---> User Auth (F) transition to Auth Fail VLAN
    Machine Auth (F) ---> Machine is in AuthFail VLAN then User Auth (S) Machines transitions to correct access VLAN (or RADIUS assigned VLAN).
    There are times when the behaviour is a bit variable in terms of VLAN assignment. Reading the IOS guide it makes sense if you are not assigning VLAN through RADIUS then switch sometimes tends to leave the port in the currently assigned VLAN, which depending on the port state (success/fail) could be the access VLAN or the AuthFail VLAN.

  • Web Auth FAIL on guest wlan

    We have a 2100 Wlan controller set up with multiple wlans.
    We are having problems on the Guest VLAN in that everytime a user tries to authenticate via Web Auth, they fail and are redirected to the username/password page.
    Local accounts have been added and the WLAN has been set up to use web auth but each time a user tries to authenticate the following message is in the log:-
    NOV 21 09:47:21.852 pem_api.c:4513 PEM-1-WEBAUTHFAIL : Web Authentication Failure for station aa:bb:cc:dd:ee:ff
    If the box is rebooted it works for around an hour, then begins to fail again.
    Any ideas?

    Here is the configuration guide for the Webauthentication for WLC with example it may help you to troubleshoot and configuration
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

  • Guest-vlan; catalyst 2960

    Hello,
    I would like to configure a guest-vlan and restricted-vlan on a 2960 switch, but I can not.
    The IOS version (obtained trough: show version) is:
    Switch Ports Model              SW Version            SW Image
    *    1 52    WS-C2960S-48FPS-L  12.2(53)SE2           C2960S-UNIVERSALK9-M
    I am trying to configure the interface using the following commands:
    RAK-ASW01#configure
    Configuring from terminal, memory, or network [terminal]?
    Enter configuration commands, one per line.  End with CNTL/Z.
    RAK-ASW01(config)#interface gigabitEthernet 1/0/11
    RAK-ASW01(config-if)#switchport mode access
    RAK-ASW01(config-if)#dot1x port-control auto
    RAK-ASW01(config-if)#dot1x guest-vlan 17
    RAK-ASW01(config-if)#end
    the result is the following, as if the guest-vlan is not supported:
    RAK-ASW01#show dot1x interface gigabitEthernet 1/0/11
    Dot1x Info for GigabitEthernet1/0/11
    PAE                       = AUTHENTICATOR
    PortControl               = AUTO
    ControlDirection          = Both
    HostMode                  = SINGLE_HOST
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 2
    TxPeriod                  = 30
    RAK-ASW01#
    similar result is obtained while trying to configure a auth-fail vlan.
    the full configuration file is attached.
    many thanks in advance,
    Alaeddine

    Hi,
    I am trying to see the guest-vlan configuration, but I was not able to see it. Therefore, my first thought was that the guest-vlan is not supported by this IOS release.
    Another point is that, although I am not able to see the configuration of the guest-vlan and the auth-fail vlan, they do exist and they are operational: when I try to connect a device to the switch and it fails to authenticate, the switch connects the device to the restricted vlan.
    So my question is: why I can not see the guest-vlan and the auth-fail vlan configuration?
    Thanks in advance,
    Alaeddine

  • Dot1x guest VLAN on 2960G

    Hi,
    I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status.
    The server is Juniper IC4500.
    Switch is 2960G, IOS 15.0(1)SE2
    the configuration:
    aaa new-model
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization exec default local
    aaa authorization network default group radius
    dot1x system-auth-control
    dot1x test timeout 30
    dot1x guest-vlan supplicant
    dot1x critical eapol
    interface FastEthernet0/32
    switchport access vlan 28
    switchport mode access
    authentication event fail action authorize vlan 41
    authentication event server dead action authorize vlan 41
    authentication event server dead action authorize voice
    authentication event no-response action authorize vlan 41
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab
    authentication port-control auto
    authentication timer reauthenticate 300
    authentication violation protect
    mab eap
    dot1x pae authenticator
    dot1x timeout quiet-period 5
    dot1x max-req 1
    dot1x max-reauth-req 1
    dot1x max-start 1
    spanning-tree portfast
    Anyone with experience on this pls help.
    Thanks,
    hoanghiep

    forgot to mention that multi-auth do not support actions on either no-response or fail authentication events. So you need to set host-mode to MDA or single host.
    Ref:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1454875

  • Dot1x guest-vlan issues with windows XP

    Hi,
    I have dot1x setup on a 3560. I basically have 3 vlans configured.
    All ports are in vlan "guest (vlan 10)" by default. The authenticated "AUTH" vlan is pushed by the radius server after successful authentication. And finally I have a guest/auth-fail vlan for non-dot1x capable machines.
    Everything works fine except that when I connect windows XP machine which is not on the domain then I am not assigned to a guest vlan. The port stays in unauthorized state and a "show interface" output shows that the port is up but line protocol is down.
    It works sometimes but other times it doesnt.
    Is there a trick to it. Also I read an article on ciscos website which was specific to XP and dot1x i.e. the switches waits ~ 180 seconds and you need to plug the cable in/out of the switch to make it to work...I havent tried this yet but anybody has any better ideas then this technique.
    I have the standard config:
    int fa0/1
    dot1x port-control auto
    dot1x guest-vlan 10
    dot1x auth-fail vlan 10
    I am thinking of tweaking the "quite period" and the switch-to-client retransmission timeout values.
    Note: Like I mentioned earlier. After successful authentication corporate clients are put in the correct vlan. Its just the "guest" vlan piece which is not working.
    Thoughts? pointers? Comments?

    OK, first WRT the documentation reference:
    Not entirely accurate. If a host fails to respond to the authenticator, the port remains in the connecting state for [tx-period (max-reauth-req + 1)] seconds. A login window even appearing on an XP machine is dependent on the configuration (usually only occurs with MD5). Not sure about the unplugging cables stuff at all ;-). This certainly shouldn't be in there though, since that's not really a workaround for anything. It is correct in saying that 1X-capable hosts should not be placed in the Guest-VLAN. It's also correct in explaining the quiet period during the HELD state after a failed authentication attempt. However, the rest is completely dependent on the Microsoft supplicant. The Microsoft supplicant gives up on 1X entirely after it fails 3 times in a row. No other supplicants do this AFAIK. Since it gives up on 1X, then that explains why the port would be "stuck" in a connecting state. Not sure if this is just trivia or what though in context to the reference.
    WRT your configuration:
    If you're interested in having 1X timeout any quicker than it does now (see formula above) then the only timers/values you need to bother with are tx-period and/or max-reauth-req. supp-timeout is for non-EAP control packets. The quiet-period is how long the port is in a HELD state when it fails authentication.
    Does this help?

  • Authentication Failed and No Response VLAN

    Documentation states:
    I'm running 12.2(33)SXI. The documentation states:
    With Cisco IOS Release 12.2(33)SXH and later releases, when you configure a guest VLAN, clients that are not 802.1X-capable are put into the guest VLAN when the server does not receive a response to its EAP request/identity frame. Clients that are 802.1X-capable but that fail authentication are not granted network access. When operating as a guest VLAN, a port functions in multiple-hosts mode regardless of the configured host mode of the port.
    http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1135086
    I've configured the following (in addition to the normal 802.1x commands) on the port to which the client is connected:
    authentication event no-response action authorize vlan 100
    authentication event fail action authorize vlan 100
    Where vlan 100 is the guest VLAN--i.e. I want any client that has either 1) no 802.1x supplicant configured on the workstation or 2) does not have a valid login/password, to be placed on this VLAN. The problem I run into is that neither of these two things are happening. I can authenticate users with valid login credentials against AD and internal database but when a user without valid credentials attempts to log on or one without a supplicant attempts to connect, I see the debugs in the switch just sending EAP polls to the client. I would expect that it should put the client on the guest VLAN after the attempts time out or if the user provides invalid credentials. This doesn't happen. Please advise. Thanks.

    It seems that the following command seemed to do the trick for us:
    dot1x guest-vlan supplicant
    Basically, even though I had the guest VLAN specified at the interface level, until I entered the above command at the global level, the client (that has no 802.1x supplicant or one that entered wrong credentials) was not being placed in the guest VLAN. Once I entered the above command, it seems to be getting placed in the guest VLAN.

  • Dot1X guest vlan authentication issue..Real Challenge!!

    Hi Guys!
    I would really appreciate if some one could help me find lead on this issue...
    My coporate and Quarantine users dosn't get correct VLAN as soon as i enable Guest VLAN feature..all of them go to guest VLAN...
    Scenario 1
    interface GigabitEthernet3/0/42
    switchport mode access
    authentication port-control auto
    dot1x pae authenticator
    dot1x timeout quiet-period 5
    dot1x timeout tx-period 5
    spanning-tree portfast
    Test Workstation behavior
    802.1X (Corporate) = VLAN 1
    802.1X (Quarantine)= VLAN 20
    Non-802.1X (Guest) = UnAouthorized
    Conclusion
    802.1x authentication is working without the guest VLAN feature
    Scenario 2
    interface GigabitEthernet3/0/42
    switchport mode access
    authentication event no-response action authorize vlan 30
    authentication port-control auto
    dot1x pae authenticator
    dot1x timeout quiet-period 5
    dot1x timeout tx-period 5
    spanning-tree portfast
    Test Workstation behavior
    802.1X (Corporate) = VLAN 30 GuestVlan
    802.1X (Quarantine)= VLAN 30 GuestVlan
    Non-802.1X = VLAN 30 GuestVlan
    Conclusion
    802.1X doesn't work after enabling Guest VLAN feature (no-response)
    Some important notes...
    1) IOS version = c3750-ipbase-mz.122-50.SE.bin the only IOS which supports 10gig modules...
    so i can not test with any other IOS
    2) We had older 3750 100Mpbs switches with same config (we copied the config from old switch to new Switch) and the only command which got change automatically due to IOS change is....
    dot1x guest-vlan 30 (Old IOS syntax) = authentication event no-response action authorize vlan 30 (New IOS syntax)
    so even if you put old command syntax it will get change to new one...
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1176660
    Guys please help me.........

    Just to update you here.......after running some debugs on Swicth i found that....(Scenario-2)
    When we connect 8021X enabled PCs (Coporate users) and Boot them...they initially behave like Non-8021X client while booting and during that time switch puts them in guest vlan but when workstation comes to a state (login prompt)where they start communicating like 8021X client.....switch just fails to put them in appropriate VLANs.. may be due to some time out issues.........I feel like i am very close to get the solution but just wondering which timers need to change or may be i am wrong if there is something else need to be put in...........any way i just shared my things with you....
    Same Workstations are working fine with old swicthes without any problem...it is windows XP SP3

  • Guest VLAN cannot ping gateway

    Hi Sir,
         I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
         wat do you think is the problem? hope you could help on this.
    thanks.
    Regards,
    Neri

    Hi Neri
    The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
    When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
    It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
    Regards
    Roger

  • 802.1.x guest VLAN problem

    Hi,
    I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
    I'm using XP sp2 with:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
    cantModeDWORD Value = 3
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
    deDWORD Value = 0
    Could someone give some help,please.
    Thanks
    BR

    The key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the user’s credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
    As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
    I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
    *machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
    *user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
    *Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
    Hope this helps.

  • HQ and Remote Wired Guest VLAN

    Hello all,
    I am having trouble to create a standard condition for Policy Authorization.  Basically there are HQ and remote locations configure for guest access.
    Each location has its own guest vlan.  On ISE the standard rule are:
    Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access
    This rule is working good for HQ.
    Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest
    This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem
    with internal users since the condition is Unknown OR MTL_Devices.  There is no AND condition for this.
    Let me know if anyone has idea or have solved this problem.
    Thank you.

    Hi,
    You need to change the order of your rules, ISE uses the first matched rule from top to bottom, in your case the MTRL is matching the first rule since it is more open than the rule below which has the check for the network device.
    Please change the order and see if this fixes your issue, if this doesnt work, post a screenshot of your policies just to make sure we are on the same page.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

Maybe you are looking for

  • Error in NWDIs CMS

    Hi Experts, I am getting the following error when trying to check-in components in the transport studio of NWDIs CMS: Unexpected error; inform your system administrator:com.sap.cms.util.exception.CMSUnexpectedException: Pls help me to solve this erro

  • How do I download a TV program?

    I purchased a TV program on my home PC and downloaded it. But I want to download it on to my laptop in the offcie? It seems like they want to charge me again for the download?

  • User authentication error with Proxy Java Calling web Service in XI

    Hello, I have deploy a Web Service in SAP XI 3.0. within a SOAP sender adapter. I have also created the Proxy Java Class to access the webservice in the Developer Studio and a Plain Java Class (only with a method main) which uses the proxy classes to

  • Please Help !!!How to pass variable defined in Event Listener Method outside it.

    Hi, everybody I have 3-4 swf those i want to load one after another like a slideshow.What i  want to do is get the total frames of loaded swf and want to pass that value to Timer object's delay parameter.  i have converted total frames to millisecond

  • I installed Adobe Flash Player, but YouTube is still telling me that I need Flash plug-in?

    I have Safari 7.0, and when I go to youtube, it says that I need the latest flash plug-in, and I keep downloading it but it's still saying the same thing. Flash plug-ins are already enabled in Safari preferences, so I'm not sure what the issue is.