DELL PC7024 User Manual
802.1x Commands
817
Guest VLAN
The Guest VLAN feature allows a PowerConnect switch to provide a
distinguished service to unauthenticated users (not rogue users who fail
authentication). This feature provides a mechanism to allow visitors and
contractors to have network access to reach external network with no ability
to surf internal LAN.
When a client that does not support 802.1X is connected to an unauthorized
When a client that does not support 802.1X is connected to an unauthorized
port that is 802.1X-enabled, the client does not respond to the 802.1X
requests from the switch. Therefore, the port remains in the unauthorized
state, and the client is not granted access to the network. If a guest VLAN is
configured for that port, then the port is placed in the configured guest
VLAN, and the port is moved to the authorized state, allowing access to the
client.
802.1x Monitor Mode
Monitor mode is a special mode that can be enabled in conjunction with
Dot1x authentication. It allows network access even in case where there is a
failure to authenticate but logs the results of the authentication process for
diagnostic purposes. The exact details are described in the below sections.
The main aim of the monitor mode is to provide a mechanism to the operator
to be able to identify the short-comings in the configuration of a Dot1x
authentication on the switch without affecting the network access to the
users of the switch.
There are three important aspects to this feature after activation:
There are three important aspects to this feature after activation:
1 To allow successful authentications using the returned information from
authentication server.
2 To provide a mechanism to report unsuccessful authentications without
negative repercussions to the user due to operator errors or failure cases
from the Authentication server or supplicants.
3 To accurately report the data received from the successful and
unsuccessful operations so that the operator can make the appropriate
changes or learn where the problem areas are.
The monitor mode can be configured globally on a switch. If the switch fails
to authenticate the user for any reason (say RADIUS access reject from
RADIUS server, RADIUS timeout, or the client itself is Dot1x unaware), the
2CSPC4.XCT-SWUM2XX1.book Page 817 Monday, October 3, 2011 11:05 AM