Radius Attributes Used In Identifying A Vlan Id; Guest Vlan Operation; Further Guidelines For Port Admin State - AMX NXA-ENET8-2POE Instruction Manual

RADIUS Attributes Used in Identifying a VLAN ID

RFC 2868 and RFC 3580 form the basis for the attributes used in identifying a VLAN ID in an Access-Accept packet. The following
criteria are used:
The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group-ID attributes must all be present at least once in the

Access-Accept packet.
The switch looks for the first set of these attributes that have the same Tag value and fulfill the following requirements (if

Tag == 0 is used, the Tunnel-Private-Group-ID does not need to include a Tag):
Value of Tunnel-Medium-Type must be set to EEE-802 (ordinal 6).
Value of Tunnel-Type must be set to LAN (ordinal 13).
Value of Tunnel-Private-Group-ID must be a string of ASCII characters in the range 0-9, which is interpreted as a decimal
string representing the VLAN ID. Leading '0's are discarded. The final value must be in the range 1-4095.
The VLAN list can contain multiple VLAN identifiers in the format 1u,2t,3u where u indicates an untagged VLAN and t a
tagged VLAN.

Guest VLAN Operation

When a Guest VLAN enabled port's link comes up, the switch starts transmitting EAPOL Request Identity frames. If the number of
transmissions of such frames exceeds Max. Reauth. Count and no EAPOL frames have been received in the meanwhile, the switch
considers entering the Guest VLAN. The interval between transmission of EAPOL Request Identity frames is configured with EAPOL
Timeout. If Allow Guest VLAN if EAPOL Seen is enabled, the port will now be placed in the Guest VLAN. If disabled, the switch will
first check its history to see if an EAPOL frame has previously been received on the port (this history is cleared if the port link goes
down or the port's Admin State is changed), and if not, the port will be placed in the Guest VLAN. Otherwise it will not move to the
Guest VLAN, but continue transmitting EAPOL Request Identity frames at the rate given by EAPOL Timeout. Once in the Guest
VLAN, the port is considered authenticated, and all attached clients on the port are allowed access on this VLAN. The switch will not
transmit an EAPOL Success frame after entering the Guest VLAN.
While in the Guest VLAN, the switch monitors the link for EAPOL frames, and if one such frame is received, the switch immediately
takes the port out of the Guest VLAN and starts authenticating the supplicant according to the port mode. If an EAPOL frame is
received, the port will never be able to go back into the Guest VLAN if the Allow Guest VLAN if EAPOL Seen is disabled.

Further Guidelines for Port Admin State

Port Admin state can only be set to Force-Authorized for ports participating in the Spanning Tree algorithm (see page 79).

When 802.1X authentication is enabled on a port, the MAC address learning function for this interface is disabled, and the

addresses dynamically learned on this port are removed from the common address table.
Authenticated MAC addresses are stored as dynamic entries in the switch's secure MAC address table. Configured static

MAC addresses are added to the secure address table when seen on a switch port (see page 100). Static addresses are
treated as authenticated without sending a request to a RADIUS server.
When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN

assignments are not restored.
1. Click Conf iguration, Security, Network, NAS.
2. Modify the required attributes.
3. Click Save.
NXA-ENET8-2POE - Instruction Manual
Configuring the NXA-ENET8-2POE
63