802.1x on Cisco switches - single host mode with Guest and Restrictive vlan

Tested  with IOS 12.2.(50) on 3560 and 3750 switches

  • Enable 802.1x globally

dot1x system-auth-control


  • create radius group for 802.1x authentication


(config)#aaa new-model
(config)#aaa group server radius 802_1X

Define radius servers and key


(config)#radius-server host
(config)#radius-server host
(config)#radius-server key secret_key


  • Enable authentication method for 802.1x

(config)#aaa authentication dot1x default group 802_1X


  • Enable 802.1x. on port

(config)#interface fa0/1
(config-if)#switchport mode access
(config-if)#switchport access vlan 2
(config-if)#authentication port-control auto


  • Set interface type

(config-if)#dot1x pae authenticator


  • Set control type

(config-if)#authentication control-direction both


  • Set portfast

(config-if)#spanning-tree portfast

Remeber to set globall bpduguard for portfast!!!

(config)#spanning-tree portfast bpduguard default


  • Set host mode

(config-if)#authentication host-mode single-host


  • Set authentication violation mode

(config-if)#authentication violation shutdown


  • Enable re-authentication and set timer

(config-if)#authentication periodic
(config-if)#authentication timer reauthenticate 32400


  • Set number of seconds switch is waiting for a response to an EAP-request/identity frame from the client before resending the request

(config-if)#dot1x timeout tx-period 4

Default is 5 secs


  • Set number of seconds that the switch remains in the quiet state after a failed auhtnetication exchange with the client

(config-if)#dot1x timeout quiet-period 30

Default is 60 secs
Be carefull with this timer in AD domain


  • Set number of seconds that the switch is waiting for reponse from authentication server

(config-if)#dot1x timeout server-timeout 15

Default is 30 secs
Combain it with even action(see Restrictive vlan section)



  • Enable guest vlan globally

(config)#dot1x guest-vlan supplicant


  • Enable action to move user to guest vlan

(config-if)#authentication event no-response action authorize vlan 12

In guest vlan any attempt for EAP-start will change port state to UNAUTHORIZE and begin again authentication procedure

RESTRICTIVE Vlan(only single-host mode)


  • Enable action to move user to restrictive vlan

(config-if)#authentication event fail action authorize vlan 10

Default is 3 attempts, you can change this between 0-5


  • Enable action to move user to restrictive vlan in case of no response from Radius server

(config-if)#authentication event server dead action authorize vlan 10



  • #show dot1x all summary

Display authentication status on ports

Fa0/1 AUTH 0001.8ba4.3cb1 AUTHORIZED



  • #show dot1x all count

Display 802.1x sessions,e.g.

Authorized Clients = 1
UnAuthorized Clients = 0
Total No of Client = 1


  • #show dot1x all details

Display 802.1x information in details

Sysauthcontrol Enabled
Dot1x Protocol Version 2
Dot1x Info for FastEthernet0/1
PortControl = AUTO
ControlDirection = Both
QuietPeriod = 30
ServerTimeout = 15
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 4
Dot1x Authenticator Client List
Supplicant = 0001.8ba4.3cb1
Session ID = 9579E7CD0000001D059A1AA3
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
Dot1x Info for FastEthernet0/2
PortControl = AUTO
ControlDirection = Both
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30

Dot1x Authenticator Client List Empty


  • #show dot1x all statistics

Dispay all 802.1x stats


  • #show dot1x interface fastEthernet 0/1

Dispay all 802.1x information on interface Fa0/1

Usefull commands


  • #dot1x re-authenticate interface fastEthernet 0/1

Forcing reauthentication client on port fa0/1


  • #dot1x test eapol-capable interface fastethernet 0/1

Checking if client on port is EAP capable


dzbanek 2011-06-04






This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.