Security Measures
147
Instruction Manual - NXA-ENET8-POE+
Configuring Network Access for Ports
Use the Security > Network Access (Configure Interface - General) page to configure MAC authentication on switch ports,
including enabling address authentication, setting the maximum MAC count, and enabling dynamic VLAN or dynamic QoS
assignments.
The following table lists the options on this page:
Perform these steps to configure MAC authentication on switch ports:
1.
Click
Security
>
Network Access
.
2.
Select
Configure Interface
from the Step list.
3.
Click the
General
button.
4.
Set the guest VLAN to use when MAC Authentication or 802.1x Authentication fails, the dynamic VLAN, and the MAC filter.
5.
Click
Apply
.
Security - Network Access Options
Guest VLAN
Specifies the VLAN to be assigned to the port when 802.1x Authentication or MAC authentication
fails. (Range: 0-4094, where 0 means disabled; Default: Disabled)
The VLAN must already be created and active (see the
page 88). Also, when used with 802.1x authentication, intrusion action must be set for Guest
VLAN (see the
Configuring Port Authenticator Settings for 802.1x
A port can only be assigned to the guest VLAN in case of failed authentication, and switchport
mode is set to Hybrid. (See the
Adding Static Members to VLANs
Dynamic VLAN
Enables dynamic VLAN assignment for an authenticated port. When enabled, any VLAN identifiers
returned by the RADIUS server through the 802.1x authentication process are applied to the port,
providing the VLANs have already been created on the switch. (GVRP is not used to create the
VLANs.) (Default: Enabled)
The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Other authenticated MAC addresses on the port must have the same VLAN configuration, or they
are treated as authentication failures.
If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN
configuration (to the 802.1x authentication process), the authentication is still treated as a
success, and the host is assigned to the default untagged VLAN.
When the dynamic VLAN assignment status is changed on a port, all authenticated addresses
mapped to that port are cleared from the secure MAC address table.
MAC Filter ID
Allows a MAC Filter to be assigned to the port. MAC addresses or MAC address ranges present in a
selected MAC Filter are exempt from authentication on the specified port (as described in the
Configuring a MAC Address Filter
section on page 148). (Range: 1-64; Default: None)
FIG. 174
Configuring Interface Settings for Network Access