Guest vlan – Allied Telesis AT-S62 User Manual

Page 657

background image

AT-S62 Management Software Menus Interface User’s Guide

Section VI: Port Security

657

Multiple Operating Mode

The initial authentication on an authenticator port running in the Multiple
operating mode is handled in the same fashion as with the Single
operating mode. If the switch receives a valid VLAN ID or name from the
RADIUS server, it moves the authenticator port to the designated VLAN
and changes the port to the authorized state.

How the switch handles subsequent authentications on the same port
depends on how you set the Secure VLAN parameter. Your options are as
follows:

ˆ

If you activate the Secure VLAN feature, only those supplicants with
the same VLAN assignment as the initial supplicant are authenticated.
Supplicants with a different VLAN assignment or with no VLAN
assignment are denied access to the port.

ˆ

If you disable the Secure VLAN feature, all supplicants, regardless of
their assigned VLANs, are authenticated. However, the port remains in
the VLAN specified in the initial authentication.

Supplicant VLAN Attributes on the RADIUS Server

Here is the information that you need to configure on the RADIUS in order
to associate a VLAN to a supplicant.

ˆ

Tunnel-Type
The protocol to be used by the tunnel specified by Tunnel-Private-
Group-Id. The only supported value is VLAN (13).

ˆ

Tunnel-Medium-Type
The transport medium to be used for the tunnel specified by Tunnel-
Private-Group-Id. The only supported value is 802 (6).

ˆ

Tunnel-Private-Group-ID
The ID of the tunnel the authenticated user should use. This must be
the name of VID of the VLAN of the switch.

Guest VLAN

An authenticator port in the unauthorized state typically accepts and
transmits only 802.1x packets while waiting for an supplicant to be
authenticated. However, you can configure an authenticator port to be a
member of a Guest VLAN when no supplicant is logged on. Any client
using the port is not required to log on and has full access to the resources
of the Guest VLAN.

If the switch receives 802.1x packets on the port, signalling that a
supplicant is logging on, it moves the port to its predefined VLAN and
places it in the unauthorized state. The port remains in the unauthorized
state until the log on process between the supplicant and the RADIUS
server is completed. When the supplicant logs off, the port is automatically
returned to the Guest VLAN.