Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N2100 Series
341342343344345346347348349350
Authentication, Authorization, and Accounting 341
Guest VLAN
The Guest VLAN feature provides a mechanism to allow users access to a
guest VLAN. For example, the administrator might provide a guest VLAN to
visitors and contractors to permit network access that allows visitors to
connect to external network resources, such as the Internet, with no ability to
access information on the internal LAN.
As an example, on a port configured in auto authentication mode (dot1x
port-control auto) and connected to a client that does not support 802.1X,
the client does not respond to the 802.1X requests from the switch. The port
remains in the unauthorized state and the client is not granted access to the
network. If a guest VLAN is configured for that port, the port is placed in the
configured guest VLAN and moved to the authorized state, allowing access to
the client over the guest VLAN.
When the guest VLAN capability is disabled, users authorized by the guest
VLAN are removed from the VLAN and denied network access.
What is Monitor Mode?
The monitor mode is a special mode that can be enabled in conjunction with
802.1X authentication. Monitor mode provides a way for network
administrators to identify possible issues with the 802.1X configuration on
the switch without affecting the network access to the users of the switch. It
allows network access even in case where there is a failure to authenticate but
logs the results of the authentication process for diagnostic purposes.
The monitor mode can be configured globally on a switch. If the switch fails
to authenticate a user for any reason (for example, RADIUS access reject
from RADIUS server, RADIUS timeout, or the client itself is dot1x-unaware),
the client is authenticated and is undisturbed by the failure condition(s). The
reasons for failure are logged for tracking purposes.
Table 10-11 provides a summary of the 802.1X Monitor Mode behavior.
NOTE: MAB and the guest VLAN feature are mutually exclusive on a port. If MAB
is enabled on a port concurrently with guest VLAN, the port will not move to the
authorized state.