Single-host mode, Multi-host mode, Multi-supplicant mode – Allied Telesis AT-8100 Series User Manual

AT-8100 Switch Command Line User’s Guide

1073

Single-Host Mode

Here are the operating characteristics for the switch when an authenticator
port is set to the single-host mode:



If the switch receives a valid VLAN ID from the RADIUS server, it
moves the authenticator port to the designated VLAN and changes
the port to the authorized state. Only the authenticated supplicant
is allowed to use the port. All other supplicants are denied entry.



If the switch receives an invalid VLAN ID from the RADIUS server
(for example, the VID of a nonexistent VLAN), it leaves the port in
the unauthorized state to deny access to the port.

Multi-Host Mode

Here are the operating characteristics for the switch when an authenticator
port is set to the multi-host mode:



If the switch receives a valid VLAN ID from the RADIUS server, it
moves the authenticator port to the designated VLAN and changes
the port to the authorized state. All supplicants are allowed access
to the port and the same VLAN after the initial authentication.



If the switch receives an invalid VLAN ID from the RADIUS server
(for example, the VID of a nonexistent VLAN), it leaves the port in
the unauthorized state to deny access to the port.

Multi-Supplicant

Mode

The initial authentication on an authenticator port running in the multi-
supplicant mode is handled in the same fashion as with the single-host
mode.

In multi-supplicant mode, how the switch handles subsequent
authentications on the same port depends on whether dynamic VLAN
creation is in one of the following states:

Disabled - NO AUTH DYNAMIC-VLAN-CREATION

If dynamic VLAN creation is disabled by issuing NO AUTH DYNAMIC-
VLAN-CREATION, all supplicants that successfully authenticate will be
made part of the VLAN of which the authenticator port is a member,
regardless of the VLAN ID attribute in the RADIUS server response.

Enabled for single dynamic VLAN creation - AUTH DYNAMIC-
VLAN-CREATION SINGLE

If dynamic VLAN creation is enabled by issuing AUTH DYNAMIC-VLAN-
CREATION SINGLE, the first supplicant is authenticated and put in its
VLAN per the RADIUS server response. Additional supplicants
authenticating to the same VLAN as the first authenticated supplicant will
be authenticated and placed in the VLAN. However, all other supplicants
authenticating to a different VLAN will be denied access.