Administrator Guide
Authentication, Authorization, and Accounting 327
without much additional configuration required on the switches in the
network. Dynamic VLAN assignment requires that the port be configured in
general or access mode.
Unauthenticated VLAN
The network administrator may choose to configure an unauthenticated
VLAN. Hosts that attempt authentication and fail are placed in the
unauthenticated VLAN. Once in the unauthenticated VLAN, authentication
is not reattempted until:
• the re-authentication timer expires
• the supplicant disconnects from the port
• the port is shut down and re-enabled
The number of re-authentication failures required to place a supplicant in the
unauthenticated VLAN is not configurable.
The network administrator can configure the unauthenticated VLAN to
provide the desired level of network access, i.e., a black hole or a guest VLAN
type of access.
Guest VLAN
The Guest VLAN feature provides a mechanism to allow users access to a
guest VLAN. For example, the administrator might provide a guest VLAN to
visitors and contractors to permit network access that allows visitors to
connect to external network resources, such as the Internet, with no ability to
access information on the internal LAN.
As an example, on a port configured in auto authentication mode (dot1x
port-control auto), connected to a client that does not support 802.1X, the
client does not respond to the 802.1X requests from the switch. The port
remains in the unauthorized state and the client is not granted access to the
network. If a guest VLAN is configured for that port, the port is placed in the
configured guest VLAN and the port is moved to the authorized state,
allowing access to the client over the guest VLAN.
NOTE: MAB and the guest VLAN feature are mutually exclusive on a port. If MAB
is enabled on a port concurrently with guest VLAN, the port will not move to the
authorized state.