Authentication introduction, Configuring a guest vlan – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual
Page 1098

Authentication Introduction and Configuration
Software Reference for x310 Series Switches
42.2
AlliedWare Plus
TM
Operating System - Version 5.4.4C
C613-50046-01 REV A
Authentication Introduction
Authentication commands enable you to specify three different types of device
authentication: 802.1X-authentication, Web-authentication, and MAC-authentication.
802.1X is an IEEE standard providing a mechanism for authenticating devices attached to a
LAN port or wireless device. Web-authentication is applicable to devices that have a
human user who opens the web browser and types in a user name and password when
requested. MAC-authentication is used to authenticate devices that have neither a human
user nor implement 802.1X supplicant when making a network connection request.
Configuring a Guest VLAN
In a secure network, the default behavior is to deny any access to supplicants that cannot
be authenticated. However, it is often convenient to allow unauthenticated users to have
limited access. A popular solution is to define a limited-access VLAN, called the Guest
VLAN, and assign unauthenticated users into that VLAN. Unauthenticated supplicants are
either supplicants who have attempted and failed authentication or haven’t performed
any authentication.
See the
auth guest-vlan command on page 43.8
for command information about Guest
VLAN.
By default, traffic from unauthenticated supplicants in the Guest VLAN will only be L2
switched within the Guest VLAN. But, if the routing parameter for the auth guest vlan
command is configured, then the switch will route unauthenticated supplicants’ traffic to
other VLANs if required, and will relay their DHCP requests to servers in other VLANs if
required.
You can configure 802.1X to accept a Dynamic VLAN assignment, or fall back to a Guest
VLAN upon failure.
To configure a switch to perform 802.1X authentication, and assign VLAN IDs to ports
where devices authentication successfully, and put non-authenticated users into a Guest
VLAN, proceed as follows:
awplus#
configure terminal
awplus(config)#
radius-server host <ip-address> key
<key-string>
awplus(config)#
aaa authentication dot1x default group
radius
awplus(config)#
interface <interface-range>
awplus(config-if)#
switchport mode access
awplus(config-if)#
dot1x port-control auto
awplus(config-if)#
auth dynamic-vlan-creation
awplus(config-if)#
auth guest-vlan 100