A guest VLAN on an 802.1x enabled port is used for devices which are not 802.1x compatible.  If the switch doesn’t receive any reponse to it’s EAP messages toward the client, the client is placed in the guest vlan.  This configured as follows:

Switch(config-if)# dot1x guest-vlan vlan-id

There’s a number of commands to enable 802.1X on a switch:

First turn on aaa:

Switch(config)# aaa new-model

Tell aaa how to authentication dot1x:

Switch(config)# aaa authentication dot1x {default} method1

Enable 802.1x on the switch:

Switch(config)# dot1x system-auth-control

You can add an optional authorization mechanism which authorizes network level service requests:

Switch(config)# aaa authorization network {default} group radius

Finally, within the interface upon which 802.1X is going to be configured, set the dot1x status of the port:

Switch(config-if)# dot1x port-control auto

NOTE:  This configuration set assumes that a radius server has been configured using the “radius-server” commands.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Verification of 802.1X status:

Switch# show dot1x

and

Switch# show dot1x interface interface-id