configure netlogin dot1x guest-vlan

configure netlogin dot1x guest-vlan vlan_name {ports port_list}


Configures a guest VLAN (Virtual LAN) for 802.1X authentication network login.

Syntax Description

vlan_name Specifies the name of the guest VLAN.
port_list Specifies one or more ports or slots and ports. If the ports keyword is not used, the command applies to all ports.



Usage Guidelines

This command configures the guest VLAN for 802.1X on the current virtual router (VR).



Beginning with ExtremeXOS 11.6, you can configure guest VLANs on a per port basis, which allows you to configure more than one guest VLAN per VR. In ExtremeXOS 11.5 and earlier, you can only configure guest VLANs on a per VLAN basis, which allows you to configure only one guest VLAN per VR.

If you do not specify any ports, the guest VLAN is configured for all ports.

Each port can have a different guest VLAN.

A guest VLAN provides limited or restricted network access if a supplicant connected to a port does not respond to the 802.1X authentication requests from the switch. A port always moves untagged into the guest VLAN.

Keep in mind the following when configuring guest VLANs:
  • You must create a VLAN and configure it as a guest VLAN before enabling the guest VLAN feature.

  • Configure guest VLANs only on network login ports with 802.1X enabled.

  • Movement to guest VLANs is not supported on network login ports with MAC-based or web-based authentication.

  • 802.1X must be the only authentication method enabled on the port for movement to guest VLAN.

  • No supplicant on the port has 802.1X capability.

  • You configure only one guest VLAN per virtual router interface.


    The supplicant does not move to a guest VLAN if it fails authentication after an 802.1X exchange; the supplicant moves to the guest VLAN only if it does not respond to an 802.1X authentication request.

Modifying the Supplicant Timer

By default, the switch attempts to authenticate the supplicant every 30 seconds for a maximum of three tries. If the supplicant does not respond to the authentication requests, the client moves to the guest VLAN. The number of authentication attempts is not a user-configured parameter.

To modify the supplicant response timer, use the following command and specify the supp-resp-timeout parameter:

configure netlogin dot1x timers [{server-timeout server_timeout} {quiet-periodquiet_period} {reauth-period reauth_period {reauth-maxmax_num_reauths}} {supp-resp-timeoutsupp_resp_timeout}]

If a supplicant on a port in the guest VLAN becomes 802.1X-capable, the switch starts processing the 802.1X responses from the supplicant. If the supplicant is successfully authenticated, the port moves from the guest VLAN to the destination VLAN specified by the RADIUS (Remote Authentication Dial In User Service) server.

Enabling Guest VLANs

To enable the guest VLAN, use the following command:

enable netlogin dot1x guest-vlan ports [all |ports]


The following command creates a guest VLAN for 802.1X named guest for all ports:

configure netlogin dot1x guest-vlan guest

The following command creates a guest VLAN named guest for ports 2 and 3:

configure netlogin dot1x guest-vlan guest ports 2,3


This command was first available in ExtremeXOS 11.2.

The ports option was added in ExtremeXOS 11.6.

Platform Availability

This command is available on the Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X620, X690, X870 series switches.