Security

802.1X Guest VLAN Behaviour

  • 1.  802.1X Guest VLAN Behaviour

    Posted 02-02-2021 16:33
    Hi Guys,

    Trying to figure out something.

    When configuring 802.1X you can configure a Guest VLAN.
    The Guest VLAN is supposedly NOT for failed 802.1X Supplicants, but Supplicants that cannot authenticate (i.e. don't reply to EAPoL messages).
    However, when looking at the authentication order trees, it is stated that if a RADIUS server replies with an access-reject message for a user, the device will check to see if a guest VLAN is configured and if it is, the interface will get placed into it.
    Now upon closer scrutiny of this I realise there is no check for the "server-reject-vlan" so I'm guessing the step for checking a Guest VLAN has a dual purpose which also includes checking for a "server-reject-vlan". If it doesn't exist, deny traffic, if it does exist, place the interface in the defined VLAN?

    This is one of the harder things to lab, so if anyone could share their knowledge on this one it would be appreciated.

    Thanks in advance