Guest And Authentication-Fail Vlans - Dell Force10 Z9000 Configuration Manual

Figure 7. Dynamic VLAN Assignment
1. Configure 8021.x globally (refer to
inDynamic VLAN Assignment with Port
2. Make the interface a switchport so that it can be assigned to a VLAN.
3. Create the VLAN to which the interface will be assigned.
4. Connect the supplicant to the port configured for 802.1X.
5. Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in
with Port Authentication).

Guest and Authentication-Fail VLANs

Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the
supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured or
the VLAN that the authentication server indicates in the authentication data.
NOTE: Ports cannot be dynamically assigned to the default VLAN.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not
appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the
network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate
themselves. To be able to connect such devices, they must be allowed access the network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices and the Authentication-fail
VLAN 802.1X extension addresses this limitation with regard to external users.
82
802.1X
Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration
Authentication).
Dynamic VLAN Assignment