Security
HMG-838PT & HMG-838EPT Web Configuration 5-24
setting applies to ports running Single 802.1X, Multi 802.1X, or MAC-based authentication. By default, hold time is
set to 10 seconds. The allowed range is 10~1000000 seconds.
Radius-Assigned QoS Enabled: Select the checkbox to globally enable RADIUS assigned QoS.
Radius-Assigned VLAN Enabled: RADIUS-assigned VLAN provides a means to centrally control the VLAN on
which a successfully authenticated supplicant is placed on the switch. Incoming traffic will be classified to and
switched on the RADIUS-assigned VLAN. The RADIUS server must be configured to transmit special RADIUS
attributes to take advantage of this feature.
The "RADIUS-Assigned VLAN Enabled" checkbox provides a quick way to globally enable/disable RADIUS-server
assigned VLAN functionality. When checked, the individual ports' ditto setting determines whether RADIUS-assigned
VLAN is enabled on that port. When unchecked, RADIUS-server assigned VLAN is disabled on all ports.
Guest VLAN Enabled: A Guest VLAN is a special VLAN typically with limited network access. When checked, the
individual ports' ditto setting determines whether the port can be moved into Guest VLAN. When unchecked, the
ability to move to the Guest VLAN is disabled on all ports.
Guest VLAN ID: This VLAN ID is functional only when Guest VLAN is enabled. This is the value that a port’s Port
VLAN ID is set to if a port is moved into the Guest VLAN. The range is 1~4095.
Max. Reauth. Count: The maximum number of times the switch transmits an EAPOL Request Identity frame
without receiving a response before adding a port to the Guest VLAN. The value can only be changed when the
Guest VLAN option is globally enabled. The range is 1~255.
Allow Guest VLAN if EAPOL Seen: The switch remembers if an EAPOL frame has been received on the port for
the life-time of the port. Once the switch considers whether to enter the Guest VLAN, it will first check if this option
is enabled or disabled. If disabled (unchecked; default), the switch will only enter the Guest VLAN if an EAPOL
frame has not been received on the port for the life-time of the port. If enabled (checked), the switch will consider
entering the Guest VLAN even if an EAPOL frame has been received on the port for the life-time of the port. The
value can only be changed if the Guest VLAN option is globally enabled.
Port Configuration
Port: The port number. “Port *” rules apply to all ports.
Admin State: Select the authentication mode on a port. This setting works only when NAS is globally
enabled. The following modes are available:
Force Authorized: In this mode, the switch will send one EAPOL Success frame when the port link comes
up, and any client on the port will be allowed network access without authentication.
Force Unauthorized: In this mode, the switch will send one EAPOL Failure frame when the port link comes
up, and any client on the port will be disallowed network access.
Port-Based 802.1X: This mode requires a dot1x-aware client to be authorized by the authentication server.
Clients that are not dot1x-aware will be denied access.
Single 802.1X: In Single 802.1X, at most one suppli
cant can get authenticated on the port at a time. Normal
EAPOL frames are used in the communication between the supplicant and the switch. If more than one
supplicant is connected to a port, the one that comes first when the port's link comes up will be the first one
considered. If that supplicant doesn't provide valid credentials within a certain amount of time, another
supplicant will get a chance. Once a supplicant is successfully authenticated, only that supplicant will be
allowed access. This is the most secure of all the supported modes. In this mode, the “Port Security” module
is used to secure a supplicant's MAC address once successfully authenticated.
Multi 802.1X: In Multi 802.1X, one or more supplicants can get authenticated on the same port at the same
time. Each supplicant is authenticated individually and secured in the MAC table using the “Port Security”
module.
MAC-based Auth.: Unlike port-based 802.1X, MAC-based authentication do not transmit or receive EAPOL
To Next Page
Loading...
Need help?
General
