Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N1500 Series
281282283284285286287288289290
284 Authentication, Authorization, and Accounting
Unauthenticated VLAN
The network administrator may choose to configure an unauthorized VLAN.
Hosts that attempt authentication and fail three times are placed in the
unauthenticated VLAN. Once in the unauthenticated VLAN, authentication
is not reattempted until:
the re-authentication timer expires
the supplicant disconnects from the port
the port is shut down and re-enabled
The number of re-authentication failures required to place a supplicant in the
unauthenticated VLAN is not configurable.
The network administrator can configure the unauthenticated VLAN to
provide the desired level of network access, i.e., a black hole or a guest VLAN
type of access.
Guest VLAN
The Guest VLAN feature provides a mechanism to allow users access to a
guest VLAN. For example, the administrator might provide a guest VLAN to
visitors and contractors to permit network access that allows visitors to
connect to external network resources, such as the Internet, with no ability to
browse information on the internal LAN.
On a port configured in auto authentication mode (dot1x port-control auto),
connected to a client that does not support 802.1X, the client does not
respond to the 802.1X requests from the switch. The port remains in the
unauthorized state and the client is not granted access to the network. If a
guest VLAN is configured for that port, the port is placed in the configured
guest VLAN and the port is moved to the authorized state, allowing access to
the client over the guest VLAN.
When the guest VLAN is disabled, users authorized by the guest VLAN are
removed from the VLAN and denied network access.
NOTE: MAB and the guest VLAN feature are mutually exclusive on a port. If MAB
is enabled on a port concurrently with guest VLAN, the port will not move to the
authorized state.