Dell POWEREDGE M1000E User Manual

514

Configuring 802.1X and Port-Based Security

Dynamic VLAN Creation

If RADIUS-assigned VLANs are enabled thought the Authorization Network

RADIUS configuration option, the RADIUS server is expected to include the

VLAN ID in the 802.1X tunnel attributes of its response message to the

switch. If dynamic VLAN creation is enabled on the switch and the RADIUS-

assigned VLAN does not exist, then the assigned VLAN is dynamically

created. This implies that the client can connect from any port and can get

assigned to the appropriate VLAN. This gives flexibility for clients to move

around the network without much additional configuration required.

Guest VLAN

The Guest VLAN feature allows a switch to provide a distinguished service to

unauthenticated users. This feature provides a mechanism to allow users

access to hosts on the guest vlan. For example, a company might provide a

guest VLAN to visitors and contractors to permit network access that allows

visitors to connect to external network resources, such as the Internet, with

no ability to browse information on the internal LAN.
In port-based 802.1X mode, when a client that does not support 802.1X is

connected to an unauthorized port that is 802.1X-enabled, the client does not

respond to the 802.1X requests from the switch. Therefore, the port remains

in the unauthorized state, and the client is not granted access to the network.

If a guest VLAN is configured for that port, then the port is placed in the

configured guest VLAN and the port is moved to the authorized state,

allowing access to the client. However, if the port is in MAC-based 802.1X

authentication mode, it will not move to the authorized state. MAC-based

mode makes it possible for both authenticated and guest clients to use the

same port at the same time.
Client devices that are 802.1X-supplicant-enabled authenticate with the

switch when they are plugged into the 802.1X-enabled switch port. The

switch verifies the credentials of the client by communicating with an

authentication server. If the credentials are verified, the authentication server

informs the switch to

unblock

the switch port and allows the client

unrestricted access to the network; i.e., the client is a member of an internal

VLAN.
Guest VLAN Supplicant mode can be configured on a per-port basis. If a

client does not attempt authentication on a port, and the port is configured

for Guest VLAN, the client is assigned to the Guest VLAN configured on that