User`s guide

ManualsBrandsDraytek ManualsNetworkingP2261

191

192

193

194

195

196

197

198

199

200

VigorSwitch P2261 User’s Guide

186

Max. Reauth. Count The number of times the switch transmits an EAPOL

Request Identity frame without response before considering

entering the Guest VLAN is adjusted with this setting. The

value can only be changed if the Guest VLAN option is

globally enabled.

Valid values are in the range [1; 255].

Allow Guest VLAN if

EAPOL Seen

The switch remembers if an EAPOL frame has been

received on the port for the life-time of the port. Once the

switch considers whether to enter the Guest VLAN, it will

first check if this option is enabled or disabled. If disabled

(unchecked; default), the switch will only enter the Guest

VLAN if an EAPOL frame has not been received on the

port for the life-time of the port. If enabled (checked), the

switch will consider entering the Guest VLAN even if an

EAPOL frame has been received on the port for the

life-time of the port.

The value can only be changed if the Guest VLAN option is

globally enabled.

Port Configuration

Port The port number for which the configuration below applies.

Admin State If NAS is globally enabled, this selection controls the port's

authentication mode. The following modes are available:

Force Authorized - In this mode, the switch will send one

EAPOL Success frame when the port link comes up, and

any client on the port will be allowed network access

without authentication.

Force Unauthorized - In this mode, the switch will send one

EAPOL Failure frame when the port link comes up, and any

client on the port will be disallowed network access.

Port-based 802.1X - In the 802.1X-world, the user is called

the supplicant, the switch is the authenticator, and the

RADIUS server is the authentication server. The

authenticator acts as the man-in-the-middle, forwarding

requests and responses between the supplicant and the

authentication server. Frames sent between the supplicant

and the switch are special 802.1X frames, known as EAPOL

(EAP Over LANs) frames. EAPOL frames encapsulate EAP

PDUs (RFC3748). Frames sent between the switch and the

RADIUS server are RADIUS packets. RADIUS packets

also encapsulate EAP PDUs together with other attributes

like the switch's IP address, name, and the supplicant's port

number on the switch. EAP is very flexible, in that it allows

for different authentication methods, like MD5-Challenge,

PEAP, and TLS. The important thing is that the

authenticator (the switch) doesn't need to know which

authentication method the supplicant and the authentication

server are using, or how many information exchange frames

are needed for a particular method. The switch simply

encapsulates the EAP part of the frame into the relevant

type (EAPOL or RADIUS) and forwards it.

When authentication is complete, the RADIUS server sends