Default Guest VLAN (Last Thing to do) - Part 13

 

Do put unauthenticated users in a Guest VLAN. When you’re rolling out computers and rolling out Certificates, users will be assigned the renewal of a certificate, so unauthenticated ports, should only be within the physical office of your IT Department, nowhere else. While doing so, it’s best to have an lock on a door, where only IT personal is given access to, or at least someone is in the room.

 

When you have transferred all your clients to the Certificate Based NPS VLAN Assignment, you can continue protecting your network by putting unauthorized / unknown devices in a GUEST VLAN.

 

# And here we have an configured NPS Authenticated port with a default VLAN of 500

 

The configuration in its totality is configured like this per port (assuming you have not configured anything other then mentioned in this blog).

 

conf t

interface GigabitEthernet0/15

description Configure port for NPS Authorization

switchport mode access

authentication event fail action authorize vlan 500

authentication event server dead action authorize vlan 500

authentication event no-response action authorize vlan 500

authentication event server alive action reinitialize

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

spanning-tree bpduguard enable

!

# Be Aware, if you locked down your guest VLAN from your Servers, they won’t be able to connect to the corperate network, thus net getting group policy’s aka Wifi LAN Settings / Certificates and are unable to perform business related tasks. Do test this upfront, and roll out with minor impact, e.g. 4 devices at a time.

To do this on a 24 / 48 port switch.

# Fast Ethernet Ports Bulk Change ports 1-8

interface range Fa0/1 - 8

(config-if-range) #

authentication event fail action authorize vlan 500

authentication event server dead action authorize vlan 500

authentication event no-response action authorize vlan 500

authentication event server alive action reinitialize