Cisco SF500-24 Administration Manual page 414

Security
Configuring 802. 1 X
Cisco 500 Series Stackable Managed Switch Administration Guide Release 1.3
username and password must be entered in lower case and with no
delimiting characters (for example: aaccbb55ccff). To use MAC-based
authentication at a port:
- A Guest VLAN must be defined
- The port must be Guest VLAN enabled.
- The packets from the first supplicant at the port before it is authorized
must be untagged packets.
You can configure a port to use 802. 1 x, MAC-based, or 802. 1 x and MAC-based
authentication. If a port is configured to use both 802. 1 x and MAC-based
authentication, 802. 1 x has precedence over non-802. 1 x device.
Unauthenticated VLANs and the Guest VLAN
Unauthenticated VLANs and Guest VLAN provide access to services that do not
require the subscribing devices or ports to be 802. 1 x or MAC-Based authenticated
and authorized.
An unauthenticated VLAN is a VLAN that allows access by both authorized and
unauthorized devices or ports. You can configure one or more VLANs to be
unauthenticated in Creating VLANs
An unauthenticated VLAN has the following characteristics:
• It must be a static VLAN, and cannot be the Guest VLAN or the Default
VLAN.
• The member ports must be manually configured as tagged members.
• The member ports must be trunk and/or general ports. An access port
cannot be member of an unauthenticated VLAN.
The Guest VLAN, if configured, is a static VLAN with the following characteristics.
• Must be manually defined from an existing static VLAN.
• Is automatically available only to unauthorized devices or ports of devices
that are connected and Guest-VLAN-enabled.
• If a port is Guest-VLAN-enabled, the device automatically adds the port as
untagged member of the Guest VLAN when the port is not authorized, and
removes the port from the Guest VLAN when the first supplicant of the port
is authorized.
• The Guest VLAN cannot be used as the Voice VLAN and an unauthenticated
VLAN.
20
396