beautypg.com

Auth guest-vlan – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Page 1134

background image

Authentication Commands

Software Reference for x310 Series Switches

43.8

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

auth guest-vlan

This command enables and configures the Guest VLAN feature on the interface specified
by associating a Guest VLAN with an interface. This command does not start
authentication. The supplicant's (client device’s) traffic is associated with the native VLAN
of the interface if its not already associated with another VLAN. The routing option
enables routing from the Guest VLAN to another VLAN, so the switch can lease DHCP
addresses and accept access to a limited network.

The no variant of this command disables the guest vlan feature on the interface specified.

Syntax

auth guest-vlan <1-4094> [routing]

no auth guest-vlan [routing]

Default

The Guest VLAN authentication feature is disabled by default.

Mode

Interface Configuration for a static channel, a dynamic (LACP) channel group, or a switch
port.

Usage

The Guest VLAN feature may be used by supplicants (client devices) that have not
attempted authentication, or have failed the authentication process. Note that if a port is
in multi-supplicant mode with per-port dynamic VLAN configuration, after the first
successful authentication, subsequent hosts cannot use the guest VLAN due to the
change in VLAN ID. This may be avoided by using per-user dynamic VLAN assignment.

When using the Guest VLAN feature with the multi-host mode, a number of supplicants
can communicate via a guest VLAN before authentication. A supplicant’s traffic is
associated with the native VLAN of the specified switch port. The supplicant must belong
to a VLAN before traffic from the supplicant can be associated.

Note that you must first define the VLAN with the vlan command that you will assign as a
guest VLAN using this command. Also note that 802.1X must first be enabled on the port.

Guest VLAN authentication cannot be enabled if DHCP snooping is enabled (

service

dhcp-snooping command on page 56.24

), and vice versa.

The Guest VLAN feature in previous releases had some limitations that have been
removed. Until this release the Guest VLAN feature could not lease the IP address to the
supplicant using DHCP Server or DHCP Relay features unless Web authentication was also
applied. When using NAP authentication, the supplicant should have been able to log on
to a domain controller to gain certification, but the Guest VLAN would not accept access
to another VLAN.

The Guest VLAN routing mode in this release overcomes these issues. With the Guest
VLAN routing mode, the switch can lease DHCP addresses and accept access to a limited
network.

See the section

“Configuring a Guest VLAN” on page 42.2

for information about the

Guest VLAN feature.

See the section

“Limitations on Allowed Feature Combinations” on page 42.29

for

information about restrictions regarding combinations of authentication enhancements
working together.

Parameter

Description

<1-4094>

VLAN ID (VID).

routing

Enables routing from the Guest VLAN to other VLANs.

See also other documents in the category Allied Telesis Computer hardware: