AMX NXA-ENET8-2POE Instruction Manual page 61

Gigabit poe ethernet switch

Hide thumbs Also See for NXA-ENET8-2POE:

Operation/reference manual (204 pages)

Installation manual (2 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

Table of Contents

Network Access Server Conf iguration Parameters (Cont.)

System Conf iguration (Cont.)

• Aging Period

• Hold Time

• RADIUS-Assigned

QoS Enabled

• RADIUS-Assigned

QoS Enabled

(Cont.)

• RADIUS-Assigned

VLAN Enabled

• Guest VLAN

Enabled

NXA-ENET8-2POE - Instruction Manual

The period used to calculate when to age out a client allowed access to the switch through Single 802.1X, Multi

802.1X, and MAC-based authentication as described below. (Range: 10-1000000 seconds; Default: 300 seconds)

When the NAS module uses the Port Security module to secure MAC addresses, the Port Security module needs to

check for activity on the MAC address in question at regular intervals and free resources if no activity is seen within

the given age period.

If reauthentication is enabled and the port is in a 802.1X-based mode, this is not so critical, since supplicants that

are no longer attached to the port will get removed upon the next reauthentication, which will fail. But if

reauthentication is not enabled, the only way to free resources is by aging the entries.

For ports in MAC-based Auth. mode, reauthentication does not cause direct communication between the switch

and the client, so this will not detect whether the client is still attached or not, and the only way to free any

resources is to age the entry.

The time after an EAP Failure indication or RADIUS timeout that a client is not allowed access. This setting applies

to ports running Single 802.1X, Multi 802.1X, or MAC-based authentication. (Range: 10-1000000 seconds;

Default: 10 seconds).

If the RADIUS server denies a client access, or a RADIUS server request times out (according to the timeout

specified on the AAA menu on page 109), the client is put on hold in the Unauthorized state. In this state, the hold

timer does not count down during an on-going authentication.

In MAC-based Authentication mode, the switch will ignore new frames coming from the client during the hold time.

RADIUS-assigned QoS provides a means to centrally control the traffic class to which traffic coming from a

successfully authenticated supplicant is assigned on the switch. The RADIUS server must be configured to

transmit special RADIUS attributes to take advantage of this feature.

The RADIUS-Assigned QoS Enabled checkbox provides a quick way to globally enable/disable RADIUS-server

assigned QoS Class functionality. When checked, the individual port settings determine whether RADIUS-assigned

QoS Class is enabled for that port. When unchecked, RADIUS-server assigned QoS Class is disabled for all ports.

When RADIUS-Assigned QoS is both globally enabled and enabled for a given port, the switch reacts to QoS Class

information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is

successfully authenticated. If present and valid, traffic received on the supplicant's port will be classified to the

given QoS Class.

If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class or it's invalid, or the

supplicant is otherwise no longer present on the port, the port's QoS Class is immediately reverted to the original

QoS Class (which may be changed by the administrator in the meanwhile without affecting the RADIUSassigned

setting). This option is only available for single-client modes, i.e. port-based 802.1X and Single 802.1X.

See the RADIUS Attributes Used in Identifying a QoS Class section on page 62 for details.

RADIUS-assigned VLAN provides a means to centrally control the VLAN on which a successfully authenticated

supplicant is placed on the switch. Incoming traffic will be classified to and switched on the RADIUS-assigned

VLAN. The RADIUS server must be configured to transmit special RADIUS attributes to take advantage of this

feature.

The RADIUS-Assigned VLAN Enabled checkbox provides a quick way to globally enable/disable RADIUS-server

assigned VLAN functionality. When checked, the individual port settings determine whether RADIUSassigned VLAN

is enabled for that port. When unchecked, RADIUSserver assigned VLAN is disabled for all ports.

When RADIUS-Assigned VLAN is both globally enabled and enabled for a given port, the switch reacts to VLAN ID

information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is

successfully authenticated. If present and valid, the port's Port VLAN ID will be changed to this VLAN ID, the port

will be set to be a member of that VLAN ID, and the port will be forced into VLAN unaware mode. Once assigned, all

traffic arriving on the port will be classified and switched on the RADIUS-assigned VLAN ID.

If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID or it's invalid, or the

supplicant is otherwise no longer present on the port, the port's VLAN ID is immediately reverted to the original

VLAN ID (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned

setting).

This option is only available for single-client modes, i.e. port-based 802.1X and Single 802.1X.

Note: For trouble-shooting VLAN assignments, use the Monitor > VLANs > VLAN Membership and VLAN Port pages.

These pages show which modules have (temporarily) overridden the current Port VLAN conf iguration.

See the RADIUS Attributes Used in Identifying a VLAN ID section on page 63 for details.

A Guest VLAN is a special VLAN - typically with limited network access - on which 802.1X-unaware clients are

placed after a network administrator-defined timeout. The switch follows a set of rules for entering and leaving the

Guest VLAN as listed below.

The Guest VLAN Enabled checkbox provides a quick way to globally enable/disable Guest VLAN functionality. When

checked, the individual port settings determine whether the port can be moved into Guest VLAN.

When unchecked, the ability to move to the Guest VLAN is disabled for all ports. When Guest VLAN is both globally

enabled and enabled for a given port, the switch considers moving the port into the Guest VLAN according to the

rules outlined below. This option is only available for EAPOL-based modes, i.e. Port-based 802.1X, Single 802.1X,

and Multi 802.1X

Note: For trouble-shooting VLAN assignments, use the Monitor > VLANs >VLAN Membership and VLAN Port pages.

These pages show which modules have (temporarily) overridden the current Port VLAN conf iguration.

See the Guest VLAN Operation section on page 63 for details.

Configuring the NXA-ENET8-2POE

Table of Contents

AMX NXA-ENET8-2POE Instruction Manual page 61

Related Manuals for AMX NXA-ENET8-2POE

Related Products for AMX NXA-ENET8-2POE

Table of Contents