2. 2
What is 802.1x Guest VLAN
1. Guest VLAN members can communicate to each other even if
they do not pass the 802.1x authentication.
2. Guest VLAN member can move to the Target VLAN based on
RADIUS VLAN attribute after passing 802.1x authentication
(Guest vlan only can support port-based 802.1x, not supporting
mac-based 802.1x)
Guest vlan
1 2 3 4 5 6
X
1. 802.1x 2. 802.1x + guest vlan
Radius ServerFTP ServerClient 2 Client 3
Client 1
Be assigned to
designated vlan
3. After authentication
3. 3
Why 802.1x Guest VLAN
The 802.1x Guest VLAN can provide limited services to clients before
passing the 802.1x authentication. For example, it can be used to download
necessary 802.1x client software for those user not install the software yet..
In the diagram, before the client is 802.1x authenticated, Client PCs still can go
to the public Web / FTP server at guess vlan to obtain the necessary information.
After the client is 802.1x authenticated, the client connected port will be assign a
new vlan membership and access the network service in the target VLAN.
(assign authenticated
ports to vlan v10)Client PC1 Client PC2 Client PC3
802.1x enabled ports
at Guest VLAN
at VLAN v10
Client need to 802.1x
authenticated to access
this server.
Port 1 Port 8 Port 12
Port 21
Guest Vlan
Before Authentication
After AuthenticationVlan 10
Radius Server
Web/FTP Server 2
Web/FTP Server 1
4. 4
1. Two VLANs: v10 and v123
v10 static members: port 1-24
v20 static members: port 25-28
2. Guest VLAN VID=10
3. Ports 1-12 are Guest VLAN enabled ports
4. Add interface on both vlans
at VLAN v20
10.10.10.101 / 8
Client PC1
11.10.10.11 / 8
Client PC2
11.10.10.12 / 8
Guest VLAN enabled ports at Guest VLAN v10
10.10.10.100 / 8
at VLAN v20
Client need to 802.1x
authenticated to
access this server.
10.10.10.200 / 8
802.1x Guest VLAN Example
Port 1
Port 4
Radius Server
Web/FTP Server 2
Web/FTP Server 1
V10 : 11.10.10.1 / 8
V20: 10.10.10.1 / 8
Port 25
Port 26
Port 19
11
10
09
5. 5
1. DES3828 configuration
## Create VLANs v10 & v123 ##
config vlan default delete 1-28
create vlan v20 tag 20
config vlan v20 add untagged 25-28
config ipif System ipaddress 10.10.10.1/8 vlan v20
create vlan v10 tag 10
config vlan v10 add untagged 1-24
config ipif p10 ipaddress 11.10.10.1/8 vlan v10
## enable 802.1x & guest vlan ##
enable 802.1x
config 802.1x guest_vlan v10
config 802.1x guest_vlan ports 1-12 state enable
## set authenticator ##
config 802.1x capability ports 1-12 authenticator
config radius add 1 10.10.10.101 key 123456 default
2. Client PCs configuration:
Run the D-Link 802.1x client software.
3. RADIUS Server configuration:
Create username and password. Configure following RADIUS attributes for the user:
Tunnel-Medium-Type (65) = 802
Tunnel-Pvt-Group-ID (81) = 20 the VID
Tunnel-Type (64) = VLAN
802.1x Guest VLAN setup Example
1. Create 2 vlans
V10 & V20
1. Enable 802.1x
& Guest vlan
2. Set port 1 to 12
to be authenticator
1. Set radius server
6. 6
About Windows 2003
Radius Server setting
Configure following RADIUS attributes
for the user:
Tunnel-Medium-Type (65) = 802
Tunnel-Pvt-Group-ID (81) = 20 VID
Tunnel-Type (64) = VLAN
7. 7
802.1x Guest VLAN setup example
Before DES-3828 Port 1 pass the 802.1x authentication
In this stage, DES3828 port 1-24 can communicate to each other, including the Web/FTP
server at port 19 of Guest VLAN, but cannot access FTP/Web server at port 26 of vlan20.
Command: show vlan
VID : 1 VLAN Name : default
VLAN TYPE : static Advertisement : Enabled
Member ports :
Static ports :
Current Untagged ports :
Static Untagged ports :
Forbidden ports :
VID : 10 VLAN Name : v10
VLAN TYPE : static Advertisement : Disabled
Member ports : 1-24
Static ports : 1-24
Current Untagged ports : 1-24
Static Untagged ports : 1-24
Forbidden ports :
VID : 20 VLAN Name : v20
VLAN TYPE : static Advertisement : Disabled
Member ports : 25-28
Static ports : 25-28
Current Untagged ports : 25-28
Static Untagged ports : 25-28
Forbidden ports :
Command: show 802.1x auth_state
Port Auth PAE State Backend State Port Status
------ -------------- ------------- ------------
1 Connecting Idle Unauthorized
2 Disconnected Idle Unauthorized
3 Disconnected Idle Unauthorized
4 Connecting Idle Unauthorized
5 Disconnected Idle Unauthorized
6 Disconnected Idle Unauthorized
7 Disconnected Idle Unauthorized
8 Disconnected Idle Unauthorized
9 Disconnected Idle Unauthorized
10 Disconnected Idle Unauthorized
11 Disconnected Idle Unauthorized
12 Disconnected Idle Unauthorized
13 ForceAuth Success Authorized
14 ForceAuth Success Authorized
15 ForceAuth Success Authorized
16 ForceAuth Success Authorized
17 ForceAuth Success Authorized
18 ForceAuth Success Authorized
19 ForceAuth Success Authorized
20 ForceAuth Success Authorized 06
8. 8
Command: show vlan
VID : 1 VLAN Name : default
VLAN TYPE : static Advertisement : Enabled
Member ports :
Static ports :
Current Untagged ports :
Static Untagged ports :
Forbidden ports :
VID : 10 VLAN Name : v10
VLAN TYPE : static Advertisement : Disabled
Member ports : 2-24
Static ports : 2-24
Current Untagged ports : 2-24
Static Untagged ports : 2-24
Forbidden ports :
VID : 20 VLAN Name : v20
VLAN TYPE : static Advertisement : Disabled
Member ports : 1, 25-28
Static ports : 1, 25-28
Current Untagged ports : 1, 25-28
Static Untagged ports : 1, 25-28
Forbidden ports :
Port1 PC can access FTP/Web Server 2 at vlan 20 since it becomes vlan20’s member.
802.1x Guest VLAN setup example
After DES-3828 Port 1 pass the 802.1x authentication
Command: show 802.1x auth_state
Port Auth PAE State Backend State Port Status
------ -------------- ------------- ------------
1 Authenticated Idle Authorized
2 Disconnected Idle Unauthorized
3 Disconnected Idle Unauthorized
4 Connecting Idle Unauthorized
5 Disconnected Idle Unauthorized
6 Disconnected Idle Unauthorized
7 Disconnected Idle Unauthorized
8 Disconnected Idle Unauthorized
9 Disconnected Idle Unauthorized
10 Disconnected Idle Unauthorized
11 Disconnected Idle Unauthorized
12 Disconnected Idle Unauthorized
13 ForceAuth Success Authorized
14 ForceAuth Success Authorized
15 ForceAuth Success Authorized
16 ForceAuth Success Authorized
17 ForceAuth Success Authorized
18 ForceAuth Success Authorized
19 ForceAuth Success Authorized
20 ForceAuth Success Authorized
Port 1 pass authentication,
so it will be assign to v123
since Radius has vid=123
attribute
06
9. 9
802.1x Guest VLAN Test Result
Test Result:
1. Before PC1 pass 802.1x authentication, PC1 still
can ping/access to PC2 and FTP/WEB server1 at
Guest VLAN.
2. After PC1 is 802.1x authenticated, PC1 can access
FTP/WEB server2 because PC1 is moved to vlan 20
from guest vlan VID 10. (PC 1 cannot access PC2
and FTP/WEB Server1 any more)
06