Netgear XCM8806 Chassis User Manual - Page 408
Post-authentication VLAN Movement, 802.1x Authentication and Network Access Protection
View all Netgear XCM8806 Chassis manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 408 highlights
NETGEAR 8800 User Manual unconfigure netlogin dot1x guest-vlan {ports | } Displaying Guest VLAN Settings To display the guest VLAN settings, use the following command: show netlogin guest-vlan {vlan_name} If you specify the vlan_name, the switch displays information for only that guest VLAN. The output displays the following information in a tabular format: • Port-Specifies the 802.1x enabled port configured for the guest VLAN. • Guest-vlan-Displays guest VLAN name and status: enable/disable. • Vlan-Specifies the name of the guest VLAN. Post-authentication VLAN Movement After the supplicant has been successfully authenticated and the port has been moved to a VLAN, the supplicant can move to a VLAN other than the one it was authenticated on. This occurs when the switch receives an Access-Accept message from the RADIUS server with a VSA that defines a new VLAN. The supplicant remains authenticated during this transition. This occurs on both untagged and tagged VLANs. For example, suppose a supplicant submits the required credentials for network access; however, it is not running the current, approved anti-virus software or it does not have the appropriate software updates installed. If this occurs, the supplicant is authenticated but has limited network access until the problem is resolved. After you update the supplicant's anti-virus software, or install the software updates, the RADIUS server re-authenticates the supplicant by sending ACCESS-ACCEPT messages with the accompanying VLAN attributes, thereby allowing the supplicant to enter its permanent VLAN with full network access. This is normal and expected behavior; no configuration is necessary. 802.1x Authentication and Network Access Protection 802.1x authentication in combination with Microsoft's Network Access Protection (NAP) provide additional integrity checks for end users and supplicants that attempt to access the network. NAP allows network administrators to create system health policies to ensure supplicants that access or communicate with the network meet administrator-defined system health requirements. For example, if a supplicant has the appropriate software updates or anti-virus software installed, the supplicant is deemed healthy and granted network access. On the other hand, if a supplicant does not have the appropriate software updates or anti-virus software installed, the supplicant is deemed unhealthy and is placed in a quarantine VLAN until the appropriate update or anti-virus software is installed. After the supplicant is healthy, it is granted network access. For more information about NAP, see the documentation that came with your Microsoft Windows or Microsoft Server software. To configure your network for NAP, the minimum required components are: 408 | Chapter 16. Network Login