Онлайн-демонстрация
Связаться с нами
7.11. Configuring Guest VLAN
Overview
Function Introduction
You can configure a guest VLAN for each 802.1x port on the switch to provide limited services to clients (for example, how to download the 802.1x client). These clients might be upgrading their system for 802.1x authentication, and some hosts, such as Windows 98 systems, might not be 802.1x-capable.
When the authentication server does not receive a response to its EAPOL request/identity frame, clients that are not 802.1x-capable are put into the guest VLAN for the port, if one is configured. However, the server does not grant 802.1x-capable clients that fail authentication access to the network. Any number of hosts is allowed access when the switch port is moved to the guest VLAN.
The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.
Guest VLAN is supported on access port, and not supported on routed port or trunk port.
Principle Description
Configuration
In the above topology, eth-0-22 is an IEEE 802.1X enabled port, and it is in the native VLAN 10, the configured guest VLAN for this port is VLAN 20. So clients that are not 802.1X capable will be put into VLAN 20 after the authenticator had send max EAPOL request/identity frame but got no response.
We use remote linux Radius server as authenticate server, the server’s address is 202.38.100.7, and the IP address for the connected routed port eth-0-23 is 202.38.100.1. When the client is authenticated by the radius server, then it can access the public internet which is also in VLAN 10.
step 1 Enter the configure mode
Switch# configure terminal
step 2 Enter the vlan configure mode and create vlan
Switch(config)# vlan database
Switch(config-vlan)# vlan 10
Switch(config-vlan)# vlan 20
Switch(config-vlan)# exit
step 3 Enable dot1x globally
Switch(config)# dot1x system-auth-ctrl
step 4 Enter the interface configure mode, set the attributes of the interface and enable dot1x and set guest vlan
Switch(config)# interface eth-0-22
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# dot1x port-control auto
Switch(config-if)# no shutdown
Switch(config-if)# dot1x guest vlan 20
Switch(config-if)# exit
step 5 Set the attributes of Layer 3 interface and set the Radius server
Switch(config)# interface eth-0-23
Switch(config-if)# no switchport
Switch(config-if)# ip address 202.38.100.1/24
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# radius-server host 202.38.100.7
Switch(config)# radius-server key test
Switch(config)# end
step 6 Exit the configure mode
Switch(config)# end
step 7 Validation
Init state:
Switch# show running-config
dot1x system-auth-ctrl
radius-server host 202.38.100.7 key test
vlan database
vlan 10,20
!
interface eth-0-22
switchport access vlan 10
dot1x port-control auto
dot1x guest-vlan 20
!
console
interface eth-0-23
no switchport
ip address 202.38.100.1/24
!
Switch# show dot1x interface eth-0-22
802.1X info for interface eth-0-22
portEnabled : true
portControl : Auto
portMode : Port based
portStatus : Unauthorized
Mac Auth bypass : disabled
reAuthenticate : disabled
reAuthPeriod : 3600
Max user number : 255
Current session number : 0
Accept user number : 0
Reject user number : 0
Guest VLAN : 20
Assign VLAN : N/A
QuietPeriod : 60
ReqMax : 2
TxPeriod : 30
SuppTimeout : 30
ServerTimeout : 30
CD: adminControlledDirections : in
CD: operControlledDirections : in
CD: bridgeDetected : false
========================================
Switch# show vlan brief
VLAN ID Name State STP ID DSCP Member ports
(u)-Untagged, (t)-Tagged
======= ================ ======= ======= =======
========================
1 default ACTIVE 0 Disable eth-0-1(u) eth-0-2(u)
eth-0-3(u) eth-0-4(u)
eth-0-5(u) eth-0-6(u)
eth-0-7(u) eth-0-8(u)
eth-0-9(u) eth-0-10(u)
eth-0-11(u) eth-0-12(u)
eth-0-13(u) eth-0-14(u)
eth-0-15(u) eth-0-16(u)
eth-0-17(u) eth-0-18(u)
eth-0-19(u) eth-0-20(u)
eth-0-21(u) eth-0-24(u)
eth-0-25(u) eth-0-26(u)
eth-0-27(u) eth-0-28(u)
eth-0-29(u) eth-0-30(u)
eth-0-31(u) eth-0-32(u)
eth-0-33(u) eth-0-34(u)
eth-0-35(u) eth-0-36(u)
eth-0-37(u) eth-0-38(u)
eth-0-39(u) eth-0-40(u)
eth-0-41(u) eth-0-42(u)
eth-0-43(u) eth-0-44(u)
eth-0-45(u) eth-0-46(u)
eth-0-47(u) eth-0-48(u)
10 VLAN0010 ACTIVE 0 Disable eth-0-22(u)
20 VLAN0020 ACTIVE 0 Disable
After configure the guest vlan:
unauthorized:
Switch# show dot1x interface eth-0-22
802.1X info for interface eth-0-22
portEnabled : true
portControl : Auto
portMode : Port based
portStatus : Unauthorized
Mac Auth bypass : disabled
reAuthenticate : disabled
reAuthPeriod : 3600
Max user number : 255
Current session number : 1
Accept user number : 0
Reject user number : 1
Guest VLAN : 20(Port Authorized by guest vlan)
Assign VLAN : N/A
QuietPeriod : 60
ReqMax : 2
TxPeriod : 30
SuppTimeout : 30
ServerTimeout : 30
CD: adminControlledDirections : in
CD: operControlledDirections : in
CD: bridgeDetected : false
========================================
session 1: 1 - 0058.3F00.0001
----------------------------------------
user name : admin
abort:F fail:T start:F timeout:F success:F
PAE: state: Held - portMode: Auto
PAE: reAuthCount: 1 - rxRespId: 0
BE: state: Idle - reqCount: 0 - idFromServer: 92
Switch# show vlan brief
VLAN ID Name State STP ID DSCP Member ports
(u)-Untagged, (t)-Tagged
======= ================ ======= ======= =======
========================
1 default ACTIVE 0 Disable eth-0-1(u) eth-0-2(u)
eth-0-3(u) eth-0-4(u)
eth-0-5(u) eth-0-6(u)
eth-0-7(u) eth-0-8(u)
eth-0-9(u) eth-0-10(u)
eth-0-11(u) eth-0-12(u)
eth-0-13(u) eth-0-14(u)
eth-0-15(u) eth-0-16(u)
eth-0-17(u) eth-0-18(u)
eth-0-19(u) eth-0-20(u)
eth-0-21(u) eth-0-24(u)
eth-0-25(u) eth-0-26(u)
eth-0-27(u) eth-0-28(u)
eth-0-29(u) eth-0-30(u)
eth-0-31(u) eth-0-32(u)
eth-0-33(u) eth-0-34(u)
eth-0-35(u) eth-0-36(u)
eth-0-37(u) eth-0-38(u)
eth-0-39(u) eth-0-40(u)
eth-0-41(u) eth-0-42(u)
eth-0-43(u) eth-0-44(u)
eth-0-45(u) eth-0-46(u)
eth-0-47(u) eth-0-48(u)
10 VLAN0010 ACTIVE 0 Disable
20 VLAN0020 ACTIVE 0 Disable eth-0-22(u)
Client is authenticated
authorized:
Switch# show dot1x interface eth-0-22
802.1X info for interface eth-0-22
portEnabled : true
portControl : Auto
portMode : Port based
portStatus : Authorized
Mac Auth bypass : disabled
reAuthenticate : disabled
reAuthPeriod : 3600
Max user number : 255
Current session number : 1
Accept user number : 1
Reject user number : 0
Guest VLAN : 20
Assign VLAN : N/A
QuietPeriod : 60
ReqMax : 2
TxPeriod : 30
SuppTimeout : 30
ServerTimeout : 30
CD: adminControlledDirections : in
CD: operControlledDirections : in
CD: bridgeDetected : false
========================================
session 1: 1 - 0058.3f00.0001
----------------------------------------
user name : admin
abort:F fail:F start:F timeout:F success:T
PAE: state: Authenticated - portMode: Auto
PAE: reAuthCount: 0 - rxRespId: 0
BE: state: Idle - reqCount: 0 - idFromServer: 207
Switch# show vlan brief
VLAN ID Name State STP ID DSCP Member ports
(u)-Untagged, (t)-Tagged
======= ================ ======= ======= =======
========================
1 default ACTIVE 0 Disable eth-0-1(u) eth-0-2(u)
eth-0-3(u) eth-0-4(u)
eth-0-5(u) eth-0-6(u)
eth-0-7(u) eth-0-8(u)
eth-0-9(u) eth-0-10(u)
eth-0-11(u) eth-0-12(u)
eth-0-13(u) eth-0-14(u)
eth-0-15(u) eth-0-16(u)
eth-0-17(u) eth-0-18(u)
eth-0-19(u) eth-0-20(u)
eth-0-21(u) eth-0-24(u)
eth-0-25(u) eth-0-26(u)
eth-0-27(u) eth-0-28(u)
eth-0-29(u) eth-0-30(u)
eth-0-31(u) eth-0-32(u)
eth-0-33(u) eth-0-34(u)
eth-0-35(u) eth-0-36(u)
eth-0-37(u) eth-0-38(u)
eth-0-39(u) eth-0-40(u)
eth-0-41(u) eth-0-42(u)
eth-0-43(u) eth-0-44(u)
eth-0-45(u) eth-0-46(u)
eth-0-47(u) eth-0-48(u)
10 VLAN0010 ACTIVE 0 Disable eth-0-22(u)
20 VLAN0020 ACTIVE 0 Disable
Switch# show dot1x
802.1X Port-Based Authentication Enabled
RADIUS server address: 202.38.100.7:1812
Next radius message ID: 0
Switch# show dot1x statistics
=====================================
802.1X statistics for interface eth-0-22
EAPOL Frames Rx: 52 - EAPOL Frames Tx: 4270
EAPOL Start Frames Rx: 18 - EAPOL Logoff Frames Rx: 2
EAP Rsp/Id Frames Rx: 29 - EAP Response Frames Rx: 3
EAP Req/Id Frames Tx: 3196 - EAP Request Frames Tx: 3
Invalid EAPOL Frames Rx: 0 - EAP Length Error Frames Rx: 0
EAPOL Last Frame Version Rx: 2 - EAPOL Last Frame Src: ae38.3288.f046
Application cases
N/A