Allied Telesis AT-9000 Series User Manual
Page 908
Chapter 60: 802.1x Port-based Network Access Control
880
Authenticator and supplicant ports must be untagged ports. They
cannot be tagged ports.
Authenticator ports cannot use MAC address-based port security.
For further information, refer to Chapter 58, “MAC Address-based
Port Security” on page 839.
Authenticator ports cannot be members of static port trunks, LACP
port trunks, or a port mirror.
A port set to the supplicant role and connected to another port that
is not set to the authenticator role will begin to forward traffic after a
timeout period and without logging on.
Authenticator ports cannot use GVRP.
When 802.1x port-based network access control is activated on
the switch, the feature polls all RADIUS servers specified in the
RADIUS configuration. If three servers have been configured, the
switch polls all three. If server 1 responds, all future requests go
only to that server. If server 1 stops responding, the switch again
polls all RADIUS servers. If server 2 responds, but not server 1,
then all future requests go to servers 1 and 2. If only server 3
responds, then all future requests go to all three servers.
You cannot change the untagged VLAN assignment of a port after
it has been designated as an authenticator port. To change the
untagged VLAN assignment of an authenticator port, you must first
remove the authenticator designation. You can reapply the
authenticator role to the port after moving it to its new VLAN
assignment.
To use the Guest VLAN feature, you have to manually create the
VLAN. The switch does not create it automatically.
Guest VLANs can be port-based or tagged VLANs.
The switch supports EAP-MD5, EAP-TLS, EAP-TTLS, EAP-LEAP
and EAP-PEAP authentication.
The switch must have a management IP address to communicate
with the RADIUS server. For background information, refer to
Chapter 13, “IPv4 and IPv6 Management Addresses” on page 257.
Here are the guidelines to adding VLAN assignments to supplicant
accounts on a RADIUS server:
The VLAN can be either a port-based or tagged VLAN.
The VLAN must already exist on the switch.
A client can have only one VLAN associated with it on the RADIUS
server.
When a supplicant logs on, the switch port is moved as an
untagged port to the designated VLAN.