88
◆ Guest VLAN ID – This is the value that a port's Port VLAN ID is set to if a port is moved
into the Guest VLAN. It is only changeable if the Guest VLAN option is globally enabled.
(Range: 1-4095)
◆ Max. Reauth. Count - The number of times that the switch transmits an EAPOL Request
Identity frame without receiving a response before adding a port to the Guest VLAN. The
value can only be changed if the Guest VLAN option is globally enabled. (Range: 1-255)
◆ Allow Guest VLAN if EAPOL Seen – The switch remembers if an EAPOL frame has
been received on the port for the lifetime of the port. Once the switch considers whether to
enter the Guest VLAN, it will first check if this option is enabled or disabled. If disabled (the
default), the switch will only enter the Guest VLAN if an EAPOL frame has not been received
on the port for the lifetime of the port. If enabled, the switch will consider entering the Guest
VLAN even if an EAPOL frame has been received on the port for the lifetime of the port. The
value can only be changed if the Guest VLAN option is globally enabled.
Port Configuration
◆ Port – Port identifier.
◆ Admin State – If NAS is globally enabled, this selection controls the port's authentication
mode. The following modes are available:
■ Force Authorized – The switch sends one EAPOL Success frame when the port link
comes up. This forces the port to grant access to all clients, either dot1x-aware or
otherwise. (This is the default setting.)
■ Force Unauthorized – The switch will send one EAPOL Failure frame when the port
link comes up. This forces the port to deny access to all clients, either dot1x-aware or
otherwise.
■ Port-based 802.1X – Requires a 802.1x-aware client to be authorized by the
authentication server. Clients that are not 802.1x-aware will be denied access.
■ Single 802.1X – At most one supplicant can get authenticated on the port at a time. If
more than one supplicant is connected to a port, the one that comes first when the port's
link comes up will be the first one considered. If that supplicant doesn't provide valid
credentials within a certain amount of time, another supplicant will get a chance. Once a
supplicant is successfully authenticated, only that supplicant will be allowed access. This
is the most secure of all the supported modes. In this mode, the Port Security module is
used to secure a supplicant's MAC address once successfully authenticated.
■ Multi 802.1X – One or more supplicants can get authenticated on the same port at the
same time. Each supplicant is authenticated individually and secured in the MAC table
using the Port Security module.
In multi 802.1X it is not possible to use the multicast BPDU MAC address as the destination
MAC address for EAPOL frames sent from the switch towards the supplicant, since that
To Next Page
Loading...
