3Com 4210G Series Configuration Manual page 554

The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned
VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after
a user passes authentication. After the user goes offline, the port returns to the initial VLAN of the port.
For details about VLAN configuration, refer to VLAN Configuration in the Access Volume.
With a Hybrid port, the VLAN assignment will fail if you have configured the assigned VLAN to
carry tags.
With a Hybrid port, you cannot configure an assigned VLAN to carry tags after the VLAN has been
assigned.
Guest VLAN
Guest VLAN allows unauthenticated users and users failing the authentication to access a specified
VLAN, where the users can, for example, download or upgrade the client software, or execute some
user upgrade programs. This VLAN is called the guest VLAN.
Currently, on the S4210G series Ethernet switches, a guest VLAN can be only a port-based guest
VLAN (PGV), which is supported on a port that uses the access control method of portbased.
With PGV configured on a port, if no users are successfully authenticated on the port in a certain
period of time (90 seconds by default), the port will be added to the guest VLAN and all users
accessing the port will be authorized to access the resources in the guest VLAN.
The device adds a PGV-configured port into the guest VLAN according to the port's link type in the
similar way as described in VLAN assignment. When a user of a port in the guest VLAN initiates an
authentication, if the authentication is not successful, the port stays in the guest VLAN; if the
authentication is successful, the port leaves the guest VLAN, and:
If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user goes
offline, the port returns to its initial VLAN, that is, the VLAN specified for it during port configuration,
or, in other words, the VLAN it was in before it joined the guest VLAN.
If the authentication server does not assign any VLAN, the port returns to its initial VLAN. After the
client goes offline, the port just stays in its initial VLAN.
ACL assignment
ACLs provide a way of controlling access to network resources and defining access rights. When a
user logs in through a port, and the RADIUS server is configured with authorization ACLs, the device
will permit or deny data flows traversing through the port according to the authorization ACLs. Before
specifying authorization ACLs on the server, you need to configure the ACL rules on the device. You
can change the access rights of users by modifying authorization ACL settings on the RADIUS server
or changing the corresponding ACL rules on the device.
Online User Handshake Function
The online user handshake function allows the device to send handshake messages to online users to
check whether the users are still online at the interval specified by the dot1x timer handshake-period
command. If the device does not receive any response from an online user after the device has sent
2-11