secure
M AC
a ddresses:
•
S ingle
8 02.1X
•
M ulti
8 02.1X
•
M AC-‐Based
A uth.
If
a
client
is
denied
access—
either
because
the
RADIUS
server
denies
the
client
access
or
because
the
RADIUS
server
request
times
out
(according
to
the
timeout
specified
on
the
"Configuration→Security→AAA"
page)—
the
client
is
put
on
hold
in
the
Unauthorized
state.
The
hold
t imer
d oes
n ot
c ount
d uring
a n
o ngoing
a uthentication.
In
MAC-‐based
Auth.
mode,
the
switch
will
ignore
new
frames
coming
from
the
client
during
the
hold
t ime.
The
H old
T ime
c an
b e
s et
t o
a
n umber
b etween
1 0
a nd
1 000000
s econds.
RADIUS-‐Assigned
Q oS
E nabled:
RADIUS-‐assigned
Q oS
p rovides
a
m eans
t o
c entrally
c ontrol
t he
t raffic
c lass
t o
w hich
t raffic
c oming
from
a
s uccessfully
a uthenticated
s upplicant
i s
a ssigned
o n
t he
s witch.
T he
R ADIUS
s erver
m ust
b e
configured
to
transmit
special
RADIUS
attributes
to
take
advantage
of
this
feature
(see
RADIUS-‐Assigned
Q oS
E nabled
b elow
f or
a
d etailed
d escription).
The
"RADIUS-‐Assigned
QoS
Enabled"
checkbox
provides
a
quick
way
to
globally
enable/disable
RADIUS-‐server
assigned
QoS
Class
functionality.
When
checked,
the
individual
ports'
ditto
setting
determines
whether
RADIUS-‐assigned
QoS
Class
is
enabled
on
that
port.
When
unchecked,
RADIUS-‐server
a ssigned
Q oS
C lass
i s
d isabled
o n
a ll
p orts.
RADIUS-‐Assigned
V LAN
E nabled:
RADIUS-‐assigned
VLAN
provides
a
means
to
centrally
control
the
VLAN
on
which
a
successfully
authenticated
s upplicant
i s
p laced
o n
t he
s witch.
I ncoming
t raffic
w ill
b e
c lassified
t o
a nd
s witched
on
the
RADIUS-‐assigned
VLAN.
The
RADIUS
server
must
be
configured
to
transmit
special
RADIUS
attributes
to
take
advantage
of
this
feature
(see
RADIUS-‐Assigned
VLAN
Enabled
below
for
a
detailed
d escription).
The
"RADIUS-‐Assigned
VLAN
Enabled"
checkbox
provides
a
quick
way
to
globally
enable/disable
RADIUS-‐server
assigned
VLAN
functionality.
When
checked,
the
individual
ports'
ditto
setting
determines
whether
RADIUS-‐assigned
VLAN
is
enabled
on
that
port.
When
unchecked,
RADIUS-‐server
a ssigned
V LAN
i s
d isabled
o n
a ll
p orts.
Guest
V LAN
E nabled:
A
G uest
V LAN
i s
a
s pecial
V LAN—
t ypically
w ith
l imited
n etwork
a ccess—on
w hich
8 02.1X-‐unaware
clients
are
placed
after
a
network
administrator-‐defined
timeout.
The
switch
follows
a
set
of
rules
for
e ntering
a nd
l eaving
t he
G uest
V LAN
a s
l isted
b elow.
The
"Guest
VLAN
Enabled"
checkbox
provides
a
quick
way
to
globally
enable/disable
Guest
VLAN
functionality.
When
checked,
the
individual
port's
ditto
setting
determines
whether
the
port
can
be
m oved
i nto
G uest
V LAN.
W hen
u nchecked,
t he
a bility
t o
m ove
t o
t he
G uest
V LAN
i s
d isabled
o n
all
p orts.
Guest
V LAN
I D:
This
i s
t he
v alue
t hat
a
p ort's
P ort
V LAN
I D
i s
s et
t o
i f
a
p ort
i s
m oved
i nto
t he
G uest
V LAN.
I t
i s
o nly
changeable
i f
t he
G uest
V LAN
o ption
i s
g lobally
e nabled.
Valid
v alues
a re
i n
t he
r ange
1 –4095.
Max.
R eauth.
C ount:
The
number
of
times
the
switch
transmits
an
EAPOL
Request
Identity
frame
without
response
before
considering
entering
the
Guest
VLAN
is
adjusted
with
this
setting.
The
value
can
only
be
changed
i f
t he
G uest
V LAN
o ption
i s
g lobally
e nabled.
Valid
v alues
a re
i n
t he
r ange
1 –
2 55.
Allow
G uest
V LAN
i f
E APOL
S een:
The
s witch
r emembers
i f
a n
E APOL
f rame
h as
b een
r eceived
o n
t he
p ort
f or
t he
l ifetime
o f
t he
p ort.
67
Publication date: Sept, 2015
Revision A1