Guest Vlans - D-Link DES-1228/ME User Manual

Attribute-Specific field
If the user has configured the bandwidth attribute of the RADIUS server (for example, ingress bandwidth 1000Kbps) and the
802.1X authentication is successful, the device will assign the correct bandwidth (according to the RADIUS server) to the port.
However, if the user does not configure the bandwidth attribute but authenticates successfully, the device will not assign
bandwidth to the port. When the bandwidth attribute is configured on the RADIUS with a value of "0" or more than the effective
bandwidth (100Mbps on an Ethernet port or 1Gbps on a Gigabit port) of the port will be set to no_limit.
To assign 802.1p default priority by RADIUS server, proper parameters should be configured on the RADIUS Server. See below
for the parameters of a user account.
The parameters of the Vendor-Specific attribute are:
Vendor-Specific attribute Description
Vendor-ID
Vendor-Type
Attribute-Specific field
If the user has configured the 802.1p priority attribute of the RADIUS server (for example, priority 7) and the 802.1X
authentication is successful, the device will assign the correct 802.1p default priority (according to the RADIUS server) to the
port. However, if the user does not configure the priority attribute but authenticates successfully, the device will not assign a
priority to this port. If the priority attribute configured on the RADIUS is a value out of range (>7), it will not be set to the device.

Guest VLANs

On 802.1X security enabled networks, there is a need for non
802.1X supported devices to gain limited access to the network, due
to lack of the proper 802.1X software or incompatible devices, such
as computers running Windows 98 or lower operating systems, or
the need for guests to gain access to the network without full
authorization. To supplement these circumstances, this switch now
implements Guest 802.1X VLANs. These VLANs should have
limited access rights and features separate from other VLANs on
the network.
To implement Guest 802.1X VLAN, the user must first create a
VLAN on the network with limited rights and then enable it as an
802.1X guest VLAN. Then the administrator must configure the
guest accounts accessing the Switch to be placed in a Guest VLAN
when trying to access the Switch. Upon initial entry to the Switch,
the client wishing to have services on the Switch will need to be
authenticated by a remote RADIUS Server on the Switch to be
placed in a fully operational VLAN. If authenticated and the
authenticator posseses the VLAN placement information, that client
will be accepted into the fully operational target VLAN and normal
switch functions will be open to the client. Yet, if the client is
denied authentication by the authenticator, it will be placed in the
Guest VLAN where it has limited rights and access. The adjacent
figure should give the user a better understanding of the Guest
VLAN process.
DES-1228/ME Layer 2 Fast Ethernet Managed Switch
Used to assign the
bandwidth of the port
Defines the vendor
The definition of this
attribute
Used to assign the
802.1p default priority
of the port
Unit (Kbits)
Value
171 (DLINK)
4
0-7
Figure 10- 20. Guest VLAN Authentication Process
162
Required
Usage
Required
Required
Required
Client Placed in
Guest VLAN