TP-Link TL-SG3424P Switch User Manual


 
further authentication. Whereas the randomly-generated key in EAP-MD5 relay mode is generated
by the authentication server, and the switch is responsible to encapsulate the authentication
packet and forward it to the RADIUS server.
802.1X Timer
In 802.1 x authentication, the following timers are used to ensure that the supplicant system, the
switch, and the RADIUS server interact in an orderly way:
1 Supplicant system timer (Supplicant Timeout): This timer is triggered by the switch
after the switch sends a request packet to a supplicant system. The switch will resend the
request packet to the supplicant system if the supplicant system fails to respond in the
specified timeout period.
2 RADIUS server timer (Server Timeout): This timer is triggered by the switch after the
switch sends an authentication request packet to RADIUS server. The switch will resend
the authentication request packet if the RADIUS server fails to respond in the specified
timeout period.
3 Quiet-period timer (Quiet Period): This timer sets the quiet-period. When a supplicant
system fails to pass the authentication, the switch quiets for the specified period before it
processes another authentication request re-initiated by the supplicant system.
Guest VLAN
Guest VLAN function enables the supplicants that do not pass the authentication to access the
specific network resource.
By default, all the ports connected to the supplicants belong to a VLAN, i.e. Guest VLAN. Users
belonging to the Guest VLAN can access the resources of the Guest VLAN without being
authenticated. But they need to be authenticated before accessing external resources. After
passing the authentication, the ports will be removed from the Guest VLAN and be allowed to
access the other resources.
With the Guest VLAN function enabled, users can access the Guest VLAN to install 802.1X client
program or upgrade their 802.1x clients without being authenticated. If there is no supplicant past
the authentication on the port in a certain time, the switch will add the port to the Guest VLAN.
With 802.1X function enabled and Guest VLAN configured, after the maximum number retries
have been made to send the EAP-Request/Identity packets and there are still ports that have not
sent any response back, the switch will then add these ports into the Guest VLAN according to
their link types. Only when the corresponding user passes the 802.1X authentication, the port will
be removed from the Guest VLAN and added to the specified VLAN. In addition, the port will back
to the Guest VLAN when its connected user logs off.
The 802.1X function is implemented on the Global Config, Port Config and Radius Server
pages.
12.4.1 Global Config
On this page, you can enable the 802.1X authentication function globally and control the
authentication process by specifying the Authentication Method, Guest VLAN and various Timers.
198