AMX NXA-ENET8-2POE Operation/Reference Manual page 76

Configuring the NXA-ENET8-2POE
Network Access Server Configuration parameters (Cont.)
System Configuration (Cont.)
• Guest VLAN ID
• Max. Reauth.
Count
• Allow Guest VLAN
if EAPOL Seen
Port Configuration
• Port
• Admin State
66
This is the value that a port's Port VLAN ID is set to if a port is moved into the
Guest VLAN.
• It is only changeable if the Guest VLAN option is globally enabled.
• Range: 1-4095.
The number of times that the switch transmits an EAPOL Request Identity frame
without receiving a response before adding a port to the Guest VLAN. The value
can only be changed if the Guest VLAN option is globally enabled. (Range: 1-255)
The switch remembers if an EAPOL frame has been received on the port for the
lifetime of the port. Once the switch considers whether to enter the Guest VLAN, it
will first check if this option is enabled or disabled.
• If disabled (the default), the switch will only enter the Guest VLAN if an EAPOL
frame has not been received on the port for the lifetime of the port.
• If enabled, the switch will consider entering the Guest VLAN even if an EAPOL
frame has been received on the port for the lifetime of the port. The value can
only be changed if the Guest VLAN option is globally enabled.
Port identifier.
If NAS is globally enabled, this selection controls the port's authentication mode.
The following modes are available:
• Force Authorized - The switch sends one EAPOL Success frame when the
port link comes up. This forces the port to grant access to all clients, either
dot1x-aware or otherwise. (This is the default setting.)
• Force Unauthorized - The switch will send one EAPOL Failure frame when the
port link comes up. This forces the port to deny access to all clients, either
dot1x-aware or otherwise.
• Port-based 802.1X - Requires a dot1x-aware client to be authorized by the
authentication server. Clients that are not dot1xaware will be denied access.
• Single 802.1X - At most one supplicant can get authenticated on the port at a
time. If more than one supplicant is connected to a port, the one that comes first
when the port's link comes up will be the first one considered. If that supplicant
doesn't provide valid credentials within a certain amount of time, another
supplicant will get a chance. Once a supplicant is successfully authenticated,
only that supplicant will be allowed access. This is the most secure of all the
supported modes. In this mode, the Port Security module is used to secure a
supplicant's MAC address once successfully authenticated.
• Multi 802.1X - One or more supplicants can get authenticated on the same port
at the same time. Each supplicant is authenticated individually and secured in
the MAC table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as the
destination MAC address for EAPOL frames sent from the switch towards the
supplicant, since that would cause all supplicants attached to the port to reply to
requests sent from the switch. Instead, the switch uses the supplicant's MAC
address, which is obtained from the first EAPOL Start or EAPOL Response
Identity frame sent by the supplicant.
An exception to this is when no supplicants are attached. In this case, the switch
sends EAPOL Request Identity frames using the BPDU multicast MAC address
as the destination - to wake up any supplicants that might be on the port.
The maximum number of supplicants that can be attached to a port can be
limited using the Port Security Limit Control functionality.
NXA-ENET8-2POE Gigabit Ethernet Layer 2 PoE Switch