beautypg.com

Authentication introduction, Configuring a guest vlan – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Page 1098

background image

Authentication Introduction and Configuration

Software Reference for x310 Series Switches

42.2

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

Authentication Introduction

Authentication commands enable you to specify three different types of device
authentication: 802.1X-authentication, Web-authentication, and MAC-authentication.

802.1X is an IEEE standard providing a mechanism for authenticating devices attached to a
LAN port or wireless device. Web-authentication is applicable to devices that have a
human user who opens the web browser and types in a user name and password when
requested. MAC-authentication is used to authenticate devices that have neither a human
user nor implement 802.1X supplicant when making a network connection request.

Configuring a Guest VLAN

In a secure network, the default behavior is to deny any access to supplicants that cannot
be authenticated. However, it is often convenient to allow unauthenticated users to have
limited access. A popular solution is to define a limited-access VLAN, called the Guest
VLAN, and assign unauthenticated users into that VLAN. Unauthenticated supplicants are
either supplicants who have attempted and failed authentication or haven’t performed
any authentication.

See the

auth guest-vlan command on page 43.8

for command information about Guest

VLAN.

By default, traffic from unauthenticated supplicants in the Guest VLAN will only be L2
switched within the Guest VLAN. But, if the routing parameter for the auth guest vlan
command is configured, then the switch will route unauthenticated supplicants’ traffic to
other VLANs if required, and will relay their DHCP requests to servers in other VLANs if
required.

You can configure 802.1X to accept a Dynamic VLAN assignment, or fall back to a Guest
VLAN upon failure.

To configure a switch to perform 802.1X authentication, and assign VLAN IDs to ports
where devices authentication successfully, and put non-authenticated users into a Guest
VLAN, proceed as follows:

awplus#

configure terminal

awplus(config)#

radius-server host <ip-address> key
<key-string>

awplus(config)#

aaa authentication dot1x default group
radius

awplus(config)#

interface <interface-range>

awplus(config-if)#

switchport mode access

awplus(config-if)#

dot1x port-control auto

awplus(config-if)#

auth dynamic-vlan-creation

awplus(config-if)#

auth guest-vlan 100