Cisco Switch supports 802.1x guest vlan function which allow 802.1X-incapable client to be put into a guest vlan.
IOS version before 12.1(22)EA2 does not maintain EAPoL packet history. So it can not differentiate where a client is “802.1X-incapable” or “802.1X-capable but failed the authentication”.
After IOS 12.1(22)EA2, the EAPoL packet history table enable the switch to differentiate the aforementioned situations. So only “802.1x-incapable” client can trigger the interface been put into “guest-vlan”.
If you want switch with IOS 12.1(22)EA or later to act the same as previous IOS version, you can use the command “dot1x guest-vlan supplicant”. With this command, a client will be put into guest-vlan even if it is 802.1X-capable and failed the authentication.
But if the same switchport (put into guest-vlan) receive the EAPoL packet, it will revert to an unauthorized state and 802.1X authentication restarts on this port.
So my question is, if a 802.1X-capable client failed the authentication and had the switchport been put into guest-vlan. Will it resend the EAPoL (802.1X request) later?
IF so, the port will be in a endless loop of fluctuating between “unauthorized state” and “guest-vlan state”.
I need to setup a lab to find out the answer.