AMX NXA-ENET8-2POE Operation/Reference Manual page 75

Network Access Server Configuration parameters (Cont.)
System Configuration (Cont.)
• RADIUS-Assigned
QoS Enabled
(Cont.)
• RADIUS-Assigned
VLAN Enabled
• Guest VLAN
Enabled
NXA-ENET8-2POE Gigabit Ethernet Layer 2 PoE Switch
If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries
a QoS Class or it's invalid, or the supplicant is otherwise no longer present on the
port, the port's QoS Class is immediately reverted to the original QoS Class
(which may be changed by the administrator in the meanwhile without affecting
the RADIUSassigned setting).
This option is only available for single-client modes, i.e. port-based 802.1X and
Single 802.1X.
See the RADIUS Attributes Used in Identifying a QoS Class section on page 69
for details.
RADIUS-assigned VLAN provides a means to centrally control the VLAN on
which a successfully authenticated supplicant is placed on the switch. Incoming
traffic will be classified to and switched on the RADIUS-assigned VLAN. The
RADIUS server must be configured to transmit special RADIUS attributes to take
advantage of this feature.
The RADIUS-Assigned VLAN Enabled checkbox provides a quick way to globally
enable/disable RADIUS-server assigned VLAN functionality. When checked, the
individual port settings determine whether RADIUSassigned VLAN is enabled for
that port. When unchecked, RADIUSserver assigned VLAN is disabled for all
ports.
When RADIUS-Assigned VLAN is both globally enabled and enabled for a given
port, the switch reacts to VLAN ID information carried in the RADIUS Access-
Accept packet transmitted by the RADIUS server when a supplicant is success-
fully authenticated. If present and valid, the port's Port VLAN ID will be changed to
this VLAN ID, the port will be set to be a member of that VLAN ID, and the port will
be forced into VLAN unaware mode. Once assigned, all traffic arriving on the port
will be classified and switched on the RADIUS-assigned VLAN ID.
If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries
a VLAN ID or it's invalid, or the supplicant is otherwise no longer present on the
port, the port's VLAN ID is immediately reverted to the original VLAN ID (which
may be changed by the administrator in the meanwhile without affecting the
RADIUS-assigned setting).
This option is only available for single-client modes, i.e. port-based 802.1X and
Single 802.1X.
Note: For trouble-shooting VLAN assignments, use the Monitor > VLANs > VLAN
Membership and VLAN Port pages. These pages show which modules have (tem-
porarily) overridden the current Port VLAN configuration.
See the RADIUS Attributes Used in Identifying a VLAN ID section on page 70 for
details.
A Guest VLAN is a special VLAN - typically with limited network access - on which
802.1X-unaware clients are placed after a network administrator-defined timeout.
The switch follows a set of rules for entering and leaving the Guest VLAN as listed
below.
The Guest VLAN Enabled checkbox provides a quick way to globally enable/dis-
able Guest VLAN functionality. When checked, the individual port settings deter-
mine whether the port can be moved into Guest VLAN.
When unchecked, the ability to move to the Guest VLAN is disabled for all ports.
When Guest VLAN is both globally enabled and enabled for a given port, the
switch considers moving the port into the Guest VLAN according to the rules out-
lined below. This option is only available for EAPOL-based modes, i.e. Port-based
802.1X, Single 802.1X, and Multi 802.1X
Note: For trouble-shooting VLAN assignments, use the Monitor > VLANs >VLAN
Membership and VLAN Port pages. These pages show which modules have (tem-
porarily) overridden the current Port VLAN configuration.
See the Guest VLAN Operation section on page 70 for details.
Configuring the NXA-ENET8-2POE
65