Once
the
switch
considers
whether
to
enter
the
Guest
VLAN,
it
will
first
check
if
this
option
is
enabled
or
disabled.
If
disabled
(unchecked,
default),
the
switch
will
only
enter
the
Guest
VLAN
if
an
E APOL
f rame
h as
n ot
b een
r eceived
o n
t he
p ort
f or
t he
l ifetime
o f
t he
p ort.
I f
e nabled
( checked),
the
s witch
w ill
c onsider
e ntering
t he
G uest
V LAN
e ven
i f
a n
E APOL
f rame
h as
b een
r eceived
o n
t he
port
f or
t he
l ifetime
o f
t he
p ort.
The
v alue
c an
o nly
b e
c hanged
i f
t he
G uest
V LAN
o ption
i s
g lobally
e nabled.
Port
C onfiguration:
The
t able
h as
o ne
r ow
f or
e ach
p ort
o n
t he
s elected
s witch
a nd
a
n umber
o f
c olumns,
w hich
a re:
Port:
The
p ort
n umber
t hat
t he
c onfiguration
b elow
a pplies
t o.
Admin
S tate:
If
NAS
is
globally
enabled,
this
selection
controls
the
port's
authentication
mode.
The
following
modes
a re
a vailable:
Force
A uthorized:
In
t his
m ode,
t he
s witch
w ill
s end
o ne
E APOL
S uccess
f rame
w hen
t he
p ort
l ink
c omes
u p,
a nd
a ny
client
o n
t he
p ort
w ill
b e
a llowed
n etwork
a ccess
w ithout
a uthentication.
Force
U nauthorized:
In
this
mode,
the
switch
will
send
one
EAPOL
Failure
frame
when
the
port
link
comes
up,
and
any
client
o n
t he
p ort
w ill
b e
d isallowed
n etwork
a ccess.
Port-‐based
8 02.1X:
In
the
802.1X-‐world,
the
user
is
called
the
supplicant,
the
switch
is
the
authenticator,
and
the
RADIUS
server
is
the
authentication
server.
The
authenticator
acts
as
the
man-‐in-‐the-‐middle,
forwarding
requests
and
responses
between
the
supplicant
and
the
authentication
server.
Frames
sent
b etween
t he
s upplicant
a nd
t he
s witch
a re
s pecial
8 02.1X
f rames,
k nown
a s
E APOL
( EAP
O ver
LANs)
frames.
EAPOL
frames
encapsulate
EAP
PDUs
(RFC3748).
Frames
sent
between
the
switch
and
the
RADIUS
server
are
RADIUS
packets.
RADIUS
packets
also
encapsulate
EAP
PDUs
together
with
other
attributes
like
the
switch's
IP
address,
name,
and
the
supplicant's
port
number
on
the
switch.
EAP
is
very
flexible:
it
allows
for
different
authentication
methods,
like
MD5-‐Challenge,
PEAP,
and
TLS.
The
important
thing
is
that
the
authenticator
(the
switch)
doesn't
need
to
know
which
a uthentication
m ethod
t he
s upplicant
a nd
t he
a uthentication
s erver
a re
u sing,
o r
h ow
m any
information
exchange
frames
are
needed
for
a
particular
method.
The
switch
simply
encapsulates
the
E AP
p art
o f
t he
f rame
i nto
t he
r elevant
t ype
( EAPOL
o r
R ADIUS)
a nd
f orwards
i t.
When
a uthentication
i s
c omplete,
t he
R ADIUS
s erver
s ends
a
s pecial
p acket
c ontaining
a
s uccess
o r
failure
indication.
Besides
forwarding
this
decision
to
the
supplicant,
the
switch
uses
it
to
open
up
or
b lock
t raffic
o n
t he
s witch
p ort
c onnected
t o
t he
s upplicant
N
:
Suppose
two
backend
servers
are
enabled
and
that
the
server
OTE
timeout
i s
c onfigured
t o
X
s econds
( using
t he
A AA
c onfiguration
p age),
a nd
suppose
that
the
first
server
in
the
list
is
currently
down
(but
not
considered
d ead).
Now,
if
the
supplicant
retransmits
EAPOL
Start
frames
at
a
rate
faster
than
X
seconds,
then
it
will
never
get
authenticated,
because
the
switch
will
cancel
ongoing
backend
authentication
server
requests
whenever
it
receives
a
n ew
E APOL
S tart
f rame
f rom
t he
s upplicant.
And
since
the
server
hasn't
yet
failed
(because
the
X
seconds
haven't
expired),
the
same
server
will
be
contacted
upon
the
next
backend
authentication
server
request
from
the
switch.
This
scenario
will
loop
forever.
Therefore,
the
server
timeout
should
be
smaller
than
the
supplicant's
E APOL
S tart
f rame
r etransmission
r ate.
68
Publication date: Sept, 2015
Revision A1