Table of Contents
Advertisement
Chapter 9
| General Security Measures
Network Access (MAC Address Authentication)
network-access
guest-vlan
Default Setting
Enabled
Command Mode
Interface Configuration
Command Usage
◆
When enabled, the VLAN identifiers returned by the RADIUS server through the
802.1X authentication process will be applied to the port, providing the VLANs
have already been created on the switch. GVRP is not used to create the VLANs.
◆
The VLAN settings specified by the first authenticated MAC address are
implemented for a port. Other authenticated MAC addresses on the port must
have same VLAN configuration, or they are treated as an authentication failure.
◆
If dynamic VLAN assignment is enabled on a port and the RADIUS server
returns no VLAN configuration, the authentication is still treated as a success,
and the host assigned to the default untagged VLAN.
◆
When the dynamic VLAN assignment status is changed on a port, all
authenticated addresses are cleared from the secure MAC address table.
Example
The following example enables dynamic VLAN assignment on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#network-access dynamic-vlan
Console(config-if)#
Use this command to assign all traffic on a port to a guest VLAN when 802.1x
authentication or MAC authentication is rejected. Use the no form of this command
to disable guest VLAN assignment.
Syntax
network-access guest-vlan vlan-id
no network-access guest-vlan
vlan-id - VLAN ID (Range: 1-4094)
Default Setting
Disabled
Command Mode
Interface Configuration
– 290 –
Hide quick links:
Advertisement
Table of Contents
