Guest vlan – Allied Telesis AT-S63 User Manual
Page 737
AT-S63 Management Software Menus Interface User’s Guide
Section VIII: Port Security
737
Multiple Operating Mode
The initial authentication on an authenticator port running in the Multiple
operating mode is handled in the same fashion as with the Single
operating mode. If the switch receives a valid VLAN ID or name from the
RADIUS server, it moves the authenticator port to the designated VLAN
and changes the port to the authorized state.
How the switch handles subsequent authentications on the same port
depends on how you set the Secure VLAN parameter. Your options are as
follows:
If you activate the Secure VLAN feature, only those supplicants with
the same VLAN assignment as the initial supplicant are authenticated.
Supplicants with a different VLAN assignment or with no VLAN
assignment are denied access to the port.
If you disable the Secure VLAN feature, all supplicants, regardless of
their assigned VLANs, are authenticated. However, the port remains in
the VLAN specified in the initial authentication.
Supplicant VLAN Attributes on the RADIUS Server
The following information must be entered as part of a supplicant’s
account on the RADIUS server when associating a supplicant to a VLAN.
Tunnel-Type
The protocol to be used by the tunnel specified by Tunnel-Private-
Group-Id. The only supported value is VLAN (13).
Tunnel-Medium-Type
The transport medium to be used for the tunnel specified by Tunnel-
Private-Group-Id. The only supported value is 802 (6).
Tunnel-Private-Group-ID
The ID of the tunnel the authenticated user should use. This must be
the name of VID of the VLAN of the switch.
Guest VLAN
An authenticator port in the unauthorized state typically accepts and
transmits only 802.1x packets while waiting for an supplicant to be
authenticated. However, you can configure an authenticator port to be a
member of a Guest VLAN when no supplicant is logged on. Any client
using the port is not required to log on and has full access to the resources
of the Guest VLAN.
If the switch receives 802.1x packets on the port, signalling that a
supplicant is logging on, it moves the port to its predefined VLAN and
places it in the unauthorized state. The port remains in the unauthorized
state until the log on process between the supplicant and the RADIUS
server is completed. When the supplicant logs off, the port is automatically
returned to the Guest VLAN.