8 the features of vlan allocation – PLANET WGSW-50040 User Manual

25-12

authenticated. The user-based advanced control will restrict the access to limited resources, only

some particular users of the port can access limited resources before being authenticated. Once

those users pass the authentication, they can access all resources.

Attention: when using private supplicant systems, user-based advanced control is recommended to effectively

prevent ARP cheat.

The maximum number of the authenticated users can be 4000, but less than 2000 will be preferred.

25.1.8 The Features of VLAN Allocation

1. Auto VLAN

Auto VLAN feature enables RADIUS server to change the VLAN to which the access port belongs, based on

the user information and the user access device information. When an 802.1x user passes authentication on

the server, the RADIUS server will send the authorization information to the device, if the RADIUS server has

enabled the VLAN-assigning function, then the following attributes should be included in the Access-Accept

messages:



Tunnel-Type = VLAN (13)



Tunnel-Medium-Type = 802 (6)



Tunnel-Private-Group-ID = VLANID

The VLANID here means the VID of VLAN, ranging from 1 to 4094. For example, Tunnel-Private-Group-ID =

30 means VLAN 30.

When the switch receives the assigned Auto VLAN information, the current Access port will leave the VLAN

set by the user and join Auto VLAN.

Auto VLAN won’t change or affect the port’s configuration. But the priority of Auto VLAN is higher than that of

the user-set VLAN, that is Auto VLAN is the one takes effect when the authentication is finished, while the

user-set VLAN do not work until the user become offline.

At present, Auto VLAN can only be used in the port-based access control mode,

and on the ports whose link type is Access.

2. Guest VLAN

Guest VLAN feature is used to allow the unauthenticated user to access some specified resources.

The user authentication port belongs to a default VLAN (Guest VLAN) before passing the 802.1x

authentication, with the right to access the resources within this VLAN without authentication. But the

resources in other networks are beyond reach. Once authenticated, the port will leave Guest VLAN, and the

user can access the resources of other networks.

In Guest VLAN, users can get 802.1x supplicant system software, update supplicant system or update some

other applications (such as anti-virus software, the patches of operating system). The access device will add

the port into Guest VLAN if there is no supplicant getting authenticated successfully in a certain stretch of time

because of lacking exclusive authentication supplicant system or the version of the supplicant system being