Guest vlan, 1x monitor mode – Dell POWEREDGE M1000E User Manual

Page 765

Advertising
background image

802.1x Commands

765

Guest VLAN

The Guest VLAN feature allows a PowerConnect switch to provide a

distinguished service to unauthenticated users (not rogue users who fail

authentication). This feature provides a mechanism to allow visitors and

contractors to have network access to reach external network with no ability

to surf internal LAN.
When a client that does not support 802.1X is connected to an unauthorized

port that is 802.1X-enabled, the client does not respond to the 802.1X

requests from the switch. Therefore, the port remains in the unauthorized

state, and the client is not granted access to the network. If a guest VLAN is

configured for that port, then the port is placed in the configured guest

VLAN, and the port is moved to the authorized state, allowing access to the

client.

802.1x Monitor Mode

Monitor mode is a special mode that can be enabled in conjunction with

Dot1x authentication. It allows network access even in case where there is a

failure to authenticate but logs the results of the authentication process for

diagnostic purposes. The exact details are described in the below sections.

The main aim of the monitor mode is to provide a mechanism to the operator

to be able to identify the short-comings in the configuration of a Dot1x

authentication on the switch without affecting the network access to the

users of the switch.
There are three important aspects to this feature after activation:

1 To allow successful authentications using the returned information from

authentication server.

2 To provide a mechanism to report unsuccessful authentications without

negative repercussions to the user due to operator errors or failure cases

from the Authentication server or supplicants.

3 To accurately report the data received from the successful and

unsuccessful operations so that the operator can make the appropriate

changes or learn where the problem areas are.

The monitor mode can be configured globally on a switch. If the switch fails

to authenticate the user for any reason (say RADIUS access reject from

RADIUS server, RADIUS timeout, or the client itself is Dot1x unaware), the

2CSPC4.XModular-SWUM200.book Page 765 Thursday, March 10, 2011 11:18 AM

Advertising
Popular Brands
Popular manuals