Cisco Cisco Gigabit Ethernet Switch Module (CGESM) for HP Technical References
2-68
Cisco Gigabit Ethernet Switch Module for the HP p-Class BladeSystem Command Reference Guide
380265-002
Chapter 2 CGESM Switch Cisco IOS Commands
dot1x auth-fail vlan
dot1x auth-fail vlan
Use the dot1x auth-fail vlan interface configuration command to enable the restricted VLAN on a port.
To return to the default setting, use the no form of this command.
To return to the default setting, use the no form of this command.
dot1x auth-fail vlan vlan-id
no dot1x auth-fail vlan vlan-id
Syntax Description
Defaults
No restricted VLAN is configured.
Command Modes
Interface configuration
Command History
Usage Guidelines
You can configure a restricted VLAN on ports configured as follows:
•
single-host (default) mode only
•
auto mode for authorization
You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication
requests if re-authentication is disabled. To start the re-authentication process, the restricted VLAN must
receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If
the host is connected through a hub, the port might never receive a link-down event and might not detect
the new host until the next re-authentication attempt occurs.
requests if re-authentication is disabled. To start the re-authentication process, the restricted VLAN must
receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If
the host is connected through a hub, the port might never receive a link-down event and might not detect
the new host until the next re-authentication attempt occurs.
If the user fails authentication, the port is moved to a restricted VLAN, and an EAP success message is
sent to the user. Because the user is not notified of the authentication failure, there might be confusion
about this restricted network access. An EAP success message is sent for these reasons:
sent to the user. Because the user is not notified of the authentication failure, there might be confusion
about this restricted network access. An EAP success message is sent for these reasons:
•
If the EAP success message is not sent, the user tries to authenticate every 60 seconds (the default)
by sending an EAP-start message.
by sending an EAP-start message.
•
Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive
an EAP success message.
an EAP success message.
A user might cache an incorrect username and password combination after receiving an EAP success
message from the authenticator and re-use that information in every re-authentication. Until the user
passes the correct username and password combination, the port remains in the restricted VLAN.
message from the authenticator and re-use that information in every re-authentication. Until the user
passes the correct username and password combination, the port remains in the restricted VLAN.
Internal VLANs used for Layer 3 ports cannot be configured as restricted VLANs.
You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN. If you do this, a syslog
message is generated.
message is generated.
vlan-id
Specify a VLAN in the range of 1 to 4094.
Release
Modification
12.2(25)SED
This command was introduced.