Guest I-SID support provides limited network access until the client is authenticated. The switches uses the Guest I-SID to forward traffic until the client authenticates and receives other VLAN:I-SID bindings from the RADIUS server.
Guest I-SID is a per-port option. You must configure an I-SID either as a C-VLAN or as an ELAN with an associated platform VLAN before you can configure it as the Guest I-SID. After you configure the Guest I-SID and you enable EAP, an untagged S-UNI is created based on the supplied I-SID. When you change the Guest I-SID while EAP is enabled, the untagged S-UNI is replaced on the port.
In MHSA mode, only one untagged S-UNI can exist on a port at one time. Consider the following:
If there is a manually configured untagged S-UNI on the port, the untagged S-UNI, which uses the Guest I-SID replaces it.
If the RADIUS server provides an untagged S-UNI after the client is authenticated, it replaces the untagged S-UNI, which was created based on the Guest I-SID.
If the Guest I-SID is removed, the previous manually configured untagged S-UNI is automatically restored.
If the RADIUS-assigned untagged S-UNI is no longer present, EAP recreates the untagged S-UNI created base on the Guest I-SID.
In MHMV mode, the untagged S-UNIs provided by the RADIUS server are treated as MAC-based untagged S-UNIs, which are different from the untagged S-UNI on the port. Consider the following factors:
If there is a manually configured untagged S-UNI on the port, the untagged S-UNI, which uses the Guest I-SID, replaces it.
If the Fail-Open I-SID and the Guest I-SID are both configured, the Guest I-SID is applied, as long as a RADIUS server is reachable.
If the RADIUS server becomes unreachable, the untagged S-UNI based on the Fail-Open I-SID is removed and the untagged S-UNI is created based on the Guest I-SID.