Configures a guest VLAN for 802.1X authentication network login.
vlan_name | Specifies the name of the guest VLAN. |
port_list | Specifies one or more ports or slots and ports. If the ports keyword is not used, the command applies to all ports. |
N/A.
This command configures the guest VLAN for 802.1X on the current virtual router (VR).
Note
Beginning with ExtremeXOS 11.6, you can configure guest VLANs on a per port basis, which allows you to configure more than one guest VLAN per VR. In ExtremeXOS 11.5 and earlier, you can only configure guest VLANs on a per VLAN basis, which allows you to configure only one guest VLAN per VR.
If you do not specify any ports, the guest VLAN is configured for all ports.
Each port can have a different guest VLAN.
A guest VLAN provides limited or restricted network access if a supplicant connected to a port does not respond to the 802.1X authentication requests from the switch. A port always moves untagged into the guest VLAN.
You must create a VLAN and configure it as a guest VLAN before enabling the guest VLAN feature.
Configure guest VLANs only on network login ports with 802.1X enabled.
Movement to guest VLANs is not supported on network login ports with MAC-based or web-based authentication.
802.1X must be the only authentication method enabled on the port for movement to guest VLAN.
No supplicant on the port has 802.1X capability.
Note
The supplicant does not move to a guest VLAN if it fails authentication after an 802.1X exchange; the supplicant moves to the guest VLAN only if it does not respond to an 802.1X authentication request.
By default, the switch attempts to authenticate the supplicant every 30 seconds for a maximum of three tries. If the supplicant does not respond to the authentication requests, the client moves to the guest VLAN. The number of authentication attempts is not a user-configured parameter.
To modify the supplicant response timer, use the following command and specify the supp-resp-timeout parameter:
configure netlogin dot1x timers [{server-timeout server_timeout} {quiet-periodquiet_period} {reauth-period reauth_period {reauth-maxmax_num_reauths}} {supp-resp-timeoutsupp_resp_timeout}]If a supplicant on a port in the guest VLAN becomes 802.1X-capable, the switch starts processing the 802.1X responses from the supplicant. If the supplicant is successfully authenticated, the port moves from the guest VLAN to the destination VLAN specified by the RADIUS server.
To enable the guest VLAN, use the following command:
enable netlogin dot1x guest-vlan ports [all |ports]The following command creates a guest VLAN for 802.1X named guest for all ports:
configure netlogin dot1x guest-vlan guest
The following command creates a guest VLAN named guest for ports 2 and 3:
configure netlogin dot1x guest-vlan guest ports 2,3
This command was first available in ExtremeXOS 11.2.
The ports option was added in ExtremeXOS 11.6.
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, X690, and X695 series switches.