Global Port Access Control Configuration - Ubiquiti EdgeSwitch ES-24-250W Administration Manual

EdgeSwitch Administration Guide
™

Global Port Access Control Configuration

Use the Port Access Control Configuration page to enable or disable port access control on the system.
To display the Port Access Control Configuration page, click Security > Port Access Control > Configuration
in the navigation menu.
Field
Admin Mode
VLAN Assignment Mode
Dynamic VLAN Creation Mode The administrative mode of dynamic VLAN creation on the device. Select Enable to allow the switch
Monitor Mode
EAPOL Flood Mode
Use the buttons to perform the following tasks:
• If you change any settings, click Submit to apply the new settings to the system.
• Click Refresh to refresh the page with the most current data from the switch.
To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save.
Ubiquiti Networks, Inc.
Port Access Control Configuration
Port Access Control Configuration Fields
Description
Specifies whether to Enable or Disable port-based authentication on the switch. The default is Disable.
The administrative mode of RADIUS-based VLAN assignment on the device. When enabled, this
feature allows a port to be placed into a particular VLAN based on the result of the authentication or
type of 802.1X authentication a client uses when it accesses the device. The authentication server can
provide information to the device about which VLAN to assign the supplicant.
to dynamically create a RADIUS-assigned VLAN if it does not already exist in the VLAN database. If
RADIUS-assigned VLANs are enabled, the RADIUS server is expected to include the VLAN ID in the
802.1X tunnel attributes of its response message to the device. If dynamic VLAN creation is enabled
on the device and the RADIUS-assigned VLAN does not exist, then the assigned VLAN is dynamically
created. This implies that the client can connect from any port and can get assigned to the appropriate
VLAN. This feature gives flexibility for clients to move around the network without much additional
configuration required.
The administrative mode of the Monitor Mode feature on the device. Monitor mode is a special mode
that can be enabled in conjunction with port-based access control. Monitor mode provides a way for
network administrators to identify possible issues with the port-based access control configuration
on the device without affecting the network access to the users of the device. It allows network access
even in cases where there is a failure to authenticate, but it logs the results of the authentication
process for diagnostic purposes. If the device fails to authenticate a client for any reason (for example,
RADIUS access reject from the RADIUS server, RADIUS timeout, or the client itself is 802.1X unaware),
the client is authenticated and is undisturbed by the failure condition(s). The reasons for failure are
logged and buffered into the local logging database for tracking purposes.
The administrative mode of the Extensible Authentication Protocol (EAP) over LAN (EAPOL) flood
support on the device. EAPOL Flood Mode can be enabled when Admin Mode and Monitor Mode are
disabled.
Managing Device Security
205