Models
Cisco IOS: Catalyst 2900/2900XL/2950/2960/2960S/2960X/2970, 3500XL/3550, 3560/3560E/3560X, 3750/3750E/3750X, 4500/4500E, 4900, 6000, 6500/6500E
Cisco Catalyst 9000 / “9K”, Cisco IOS XE: Catalyst 9200/9200L, 9300/9300L/9300X, 9400, 9500, 9600
For more detailed information about Cisco WCL: 802.1X WLAN with XEOX PNAC, please read Cisco WCL
Enable AAA
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# aaa authorization network default group radius
Switch(config)# aaa accounting dot1x default start-stop group radius
Switch(config)# aaa accounting network default start-stop group radius
authentication mac-move permit
dot1x system-auth-control
dot1x guest-vlan supplicantConfigure RADIUS Server
Switch(config)# radius-server host 192.168.128.245 auth-port 1812 acct-port 1813 key PRESHAREDKEY
Switch(config)# radius-server host 192.168.128.246 auth-port 1812 acct-port 1813 key PRESHAREDKEYPort Configuration
Switch(config)# interface range FastEthernet0/1-20
Switch(config-if)#authentication event fail action authorize vlan 100
Switch(config-if)#authentication event no-response action authorize vlan 1
Switch(config-if)#authentication host-mode multi-domain
Switch(config-if)#authentication order mab
Switch(config-if)#authentication port-control auto
Switch(config-if)#mab
Switch(config-if)#dot1x pae authenticatorAuthentication event fail action authorize vlan
This is the GUEST VLAN for unknown devices
Authentication event no-response action authorize vlan
In case the RADIUS Server isn't responding (e.g. server dead), you can configure a fallback VLAN. e.g. office VLAN.