How to configure the switch to send unauthorized users in a Guest VLAN

Zyxel小編 Lucious
Zyxel小編 Lucious Posts: 279
25 Answers First Comment Friend Collector Third Anniversary
 Zyxel Employee
edited July 1 in Network Security

The example shows administrators how to use Guest VLAN for users that fails or used an invalid user credential during 802.1x port authentication. In a real application, we may need to allow guests to access the USG so that they can access the Internet, but still isolated from Private-Server. On the contrary, we have to allow the users with valid credentials to only access the Private-Server.


All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.

1. Configuration

1-1. Configure 802.1x Port Authentication in the switch

Configure 802.1x on all towards users. Do not enable Port Authentication on ports to the USG, RADIUS-Server, and Private-Server.

1-2. Configure VLAN for Guest VLAN in the switch

Configure the VLAN for Guest VLAN (VLAN 100) on Switch. VLAN 100: Set fixed port: 1, 2, 3, 30; untagged port: 1, 2, 3, 30; forbidden port: 31, 32; port 30: pvid=100. VLAN 1: Set forbidden port: 30. For isolating VLAN 1 and 100.

1-3. Configure Guest VLAN for Failed Authentication in the switch

Go to Menu > Advanced Application > Port Authentication > 802.1x > Guest Vlan. Activate the Guest Vlan on port 1-3 and type the guest Vlan as 100. Press “Apply”.

1-4. Configure the RADIUS Server

1-4-1. Edit the client profile in /etc/freeradius/clients.conf. Save the file and exit.


The client IP address and secret must match the management IP and shared secret of the Switch.

1-4-2. Add the following user profiles in /etc/freeradius/users. Save the file and exit.

1-4-3. Restart FreeRADIUS service.

1-5. Configure the setting on User-A, User-B and Guest in Windows

1-5-1. In the Services window, locate the service named Wired AutoConfig. Make sure the service status is “Started”.

1-5-2. Right-click on your network adapter and select Properties. Click on the Authentication tab and check “Enable IEEE 802.1X authentication”. Make sure that the network authentication method is “Microsoft: Protected EAP (PEAP)”.

1-5-3. Click on Additional Settings, select Specify authentication mode and specify User authentication.

2. Test the Result

2-1. Disconnect and connect the PC with Switch. PC should show an “Additional information is needed to connect to this network.” pop-up message.

2-2. Enter the username (User-A) and password (zyxeluserA) which must be consistent with the RADIUS-Server’s user profile settings.

2-3. Devices using User-A and User-B credentials can communicate with Private-Server.

2-4. Connect User-A device to the Switch. User-A should show an “Additional information is needed to connect to this network.” pop-up message.

2-5. Enter the username (Guest) and a random password.

2-6. Device using Guest credentials cannot communicate with Private-Server, but it can communicate with USG.

2-7. Check the MAC table of the Switch. The device of users with wrong credentials are assigned to VLAN 100. (Menu > Management > MAC Table > Search)

3. What Could Go Wrong

3-1. If the PC doesn’t pop up the authentication message after connecting the PC to the switch:

3-1-1. Try to use the Switch to ping Radius-Server. The Switch should be able to ping Radius-Server.

3-1-2. Right-click on your network adapter and select Properties > Authentication > Additional settings. Uncheck the “Validate server certificate”.

3-2. If the shared secret setting of Switch and PC does NOT match, the authentication will fail.

3-3. If the authentication is fine, but the PC cannot ping Server, please check 801.1X Port Authentication configurations. Do NOT activate the authentication on the uplink port (port 2, 3, and 12).

3-4. If devices sent to the Guest VLAN cannot reach the USG, make sure that the switch has created and configured the Guest VLAN in Advance Application > VLAN > VLAN Configuration > Static VLAN Setup.