When does a switch port get placed into a restricted VLAN?

Within an 802.1X enabled network with the Auth Fail feature configured, when does a switch port get placed into a restricted VLAN?
A. When 802.1X is not globally enabled on the Cisco catalyst switch
B. When AAA new-model is enabled
C. Other options

cisco-exams

5 thoughts on “When does a switch port get placed into a restricted VLAN?

  1. The answer should be:

    A. When user failed to authenticate after certain number of attempts

    When an authentication fails, the port can be moved into a configured restricted VLAN instead of blocking the client completely. The port is moved to the configured restricted VLAN only if the authentication failure action is set to place the port in a restricted VLAN using the auth-fail-action command at the global level or using the authentication fail-action command at the interface level. Else, when the authentication fails, the client’s MAC address is blocked in the hardware (default action).

    http://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-commandref/GUID-7B8D8025-27BB-4D34-A2D5-B58C3D1C2777.html

  2. When does a Switch port go on guest VLAN?
    A. When user failed to authenticate after certain number of attempts
    B. When 802.1X is not globally enabled on the Cisco catalyst switch
    C. When AAA new-model is enabled
    D. If a connected client does not support 802.1X
    E. After a connected client exceeds a specific idle time

    Answer: D
    The following tasks must be completed before implementing the IEEE 802.1X Guest VLAN feature:
    • IEEE 802.1X must be enabled on the device port.
    • The device must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS).
    • EAP support must be enabled on the RADIUS server.
    • You must configure the IEEE 802.1X supplicant to send an EAP-logoff (Stop) message to the switch when the user logs off.
    • Authentication, authorization, and accounting (AAA) must be configured on the port for all network-related service requests.
    • The port must be successfully authenticated.
    When you configure a guest VLAN, clients that are not 802.1X-capable are put into the guest VLAN when the server does not receive a response to its EAP-request/identity frame. Clients that are 802.1X-capable but that fail authentication are not granted network access.

  3. I have these following answers in the question:

    A. When user failed to authenticate after certain number of attempts
    B. When 802.1X is not globally enabled on the Cisco catalyst switch
    C. When AAA new-model is enabled
    D. If a connected client does not support 802.1X
    E. After a connected client exceeds a specific idle time

    Shouldn’t the correct answer be “A”?

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.