Пусть тут повисит

aaa authentication dot1x default group radius none
dot1x system-auth-control
!
interface FastEthernet0/X
switchport mode access
dot1x port-control auto
dot1x guest-vlan XXX
spanning-tree portfast
!
radius-server host XXX.XXX.XXX.XXX auth-port 1812 acct-port 1813 key KEY

On the RADIUS-server (aka NAP) it is necessary to define following attributes for users:

Tunnel-Type [64] = VLAN
Tunnel-Medium-Type [65] = 802
Tunnel-Private-Group-Id [81] = NAME_OF_VLAN

When you configure Microsoft NAP, there is a problem with the client part of the product. In general, Microsoft NAP works on operating systems starting with Microsoft Windows XP SP3 and higher. In Windows XP SP3 has everything you need to work with NAP, except the graphical console to configure NAP functions. This console, by and large, is not necessary in a corporate network -- as all settings for the client computers are distributed centrally through Group Policy.

So, for the correct operation of NAP requires that client computers will automatically run NAP Agent service -- by default this service is disabled. Turn it on and others necessary for the NAP services through group policy is not difficult. However, if suddenly at customisation of a group policy, you accidentally or intentionally clicked on the Edit Security button, on Windows XP SP3 this operation will call failure at automatic start of NAP Agent service.