Tagged and untagged VLAN attributes
To configure a user profile on a RADIUS server and assign a VLAN to an authenticated client, you can use either the VLAN name or VLAN ID (VID) number. For example, if a VLAN configured in the switch has a VID of 100 and is named
vlan100, you could configure the RADIUS server to use either "100" or "vlan100" to specify the VLAN.
hp-egress-vlan-id(64): Configures an optional, egress VLAN ID for either tagged or untagged packets.hp-egress-vlan-name(65): Configures an optional, egress VLAN for either tagged or untagged packets when the VLAN ID is not known.Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID: Tunnel attributes that specify an untagged VLAN assignment (RFC 3580).
Use only the VLAN ID or the VLAN name for a given VLAN.
| RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|
HP-Egress-VLANID (11.64) |
1-* |
Alternate VSA for Egress-VLANID |
– |
<tagged/untagged(0x31 or 0x32)>000<VLAN_ID (as hex)> |
HP-Egress-VLAN-Name (11.65) |
1-* |
Alternate VSA for Egress-VLAN-Name |
– |
<tagged/untagged(1 or 2)><VLAN Name String> |
The value of
Egress-VLANID is a bit string, the first 8 bits specify whether the VLAN is tagged or untagged and must be either 0x31 (tagged) or 0x32 (untagged). The next 12 bits are padding 0x000, and the final 12 bits are the VLAN ID as an integer value. For example, the value to set VLAN 17 as a tagged egress VLAN would be 0x31000011.
Tunnel (untagged VLAN) attributes may be included in the same RADIUS packet as the
Egress-VLANID and
Egress-VLAN-Name attributes. These attributes are not mutually exclusive. The switch processes the VLAN information returned from the remote RADIUS server for each successfully 802.1X-, web-based, and MAC authenticated client (user). The VLAN information is part of the user profile stored in the RADIUS server database and is applied if the VLANs exist on the switch.