The Features Of Vlan Allocation - Planet XGS3-42000R User Manual

resources, whic h means all users of t his port can access limited resources before being
authenticated. The user-based advanced control will restrict the access to limited resources, only
some particular users of the port can access limited resources before being authenticated. Once
those users pass the aut hentication, they can access all resources.
Attention: when using private supplicant systems, user-based advanc ed control is recommended to effectively
prevent ARP cheat.
The maximum number of the authenticated us ers can be 4000, but less than 2000 will be preferred.

47.1.8 The Features of VLAN Allocation

1. Auto VLAN
Auto VLAN feature enables RADIUS server to change the VLA N to which the access port belongs, based on
the user information and the user access device information. When an 802.1x user passes authentication on
the server, the RA DIUS server will send the aut horization information to the device, if the RA DIUS server has
enabled the VLAN-assigning function, then the following attributes should be included in the Access-Accept
messages:

Tunnel-Type = VLAN (13)

Tunnel-Medium-Type = 802 (6)

Tunnel-Private-Group-ID = VLANID
The VLA NID here means the V ID of VLA N, ranging from 1 to 4094. For example, Tunnel-P rivate-Group-ID =
30 means VLAN 30.
When the switch receives the assigned Auto VLAN information, the current Access port will leave the VLAN
set by the user and join Auto VLA N.
Auto VLAN won't change or affect the port's configuration. But the priority of Auto VLA N is higher than that of
the user-set VLAN, that is Auto VLAN is the one takes effect when the authentication is finished, while the
user-set VLA N do not work until the user become offline.
Notes: At present, Auto VLAN can only be used in the port-based access control mode, and on the ports
whos e link type is Access.
2. Guest VLAN
Guest VLAN feat ure is used to allow the unauthenticated user to access some specified resources.
The us er authentication port belongs to a default VLAN (Guest VLAN) before passing the 802.1x
authentication, with the right to access the res ources within this VLAN without authentication. But the
resources in other networks are beyond reach. Once authenticated, the port will leave Guest VLAN, and the
user can access the resources of other net works.
In Guest VLA N, users can get 802.1x supplicant system software, update supplicant system or update some
other applications (s uch as anti-virus software, the patches of operating system). The access device will add
the port into Guest VLAN if there is no supplicant getting authenticated successfully in a certain stretch of time
47-12