Configuring Authenticated VLANs Configuring Authenticated VLANs
OmniSwitch 6800/6850/9000 Network Configuration Guide March 2008 page 26-27
Configuring Authentication IP Addresses
Authentication clients connect to an IP address on the switch for authentication. (Web browser clients may
enter a DNS name rather than the IP address; see “Setting Up a DNS Path” on page 26-29). When the
router interface is set up for an authenticated VLAN (through the ip interface command), the switch auto-
matically sets up an authentication address for that authenticated VLAN based on the router interface
address. The authentication address uses the same mask as the router interface address and includes .253 at
the end of the address.
For example, if the router port address for authenticated VLAN 3 is 10.10.2.20, the authentication address
will be 10.10.2.253. This address is modifiable through the avlan auth-ip command; the address,
however, must use the same mask as the router port address. For example:
-> avlan auth-ip 3 10.10.2.80
This changes the authentication address for VLAN 3 to 10.10.2.80. The authentication IP address is also
used for the DNS address (see “Setting Up a DNS Path” on page 26-29).
When modifying the authentication address for a specific VLAN, make sure the following is true:
• The new IP address does not match an IP router interface address for the same VLAN. IP address reso-
lution problems can occur if these two addresses are not unique.
• The new IP address is an address that is local to the network segment on which the client is connected
The binding of the VLAN to the authentication IP address is to provide flexibility for the network
administrator to assign a designated IP address for respective user network segments.
To display authentication addresses, use the show aaa avlan auth-ip command.
Setting Up the Default VLAN for Authentication Clients
By default, authentication users cannot traffic in the default VLAN prior to authentication; however, the
switch may be configured to enable the default VLAN so that users may traffic in the default VLAN prior
to authentication.
The default VLAN is the default VLAN for the authentication port, the physical port through which
authentication clients are connected to the switch. The authentication port is specified through the vlan
port authenticate command. See “Configuring Authenticated Ports” on page 26-28.
Use the aaa accounting command command to enable the default VLAN for authentication traffic.
-> avlan default-traffic enable
When this command is enabled, any authentication client initially belongs to the default VLAN of the
authentication port through which the client is connected. After authentication, if a client is removed from
an authenticated VLAN through the aaa avlan no command, the client is moved to the default VLAN.
To disable any default VLAN for authentication traffic, use the disable keyword with the command:
-> avlan default-traffic disable
WARNING: Traffic on default vlan is DISABLED.
Existing users on default vlan are not flushed.
Users now do not belong to and cannot traffic in the default VLAN prior to authentication. Note that any
existing users in the default VLAN are not flushed.
To Next Page
Loading...
