Using 802.1X authentication with other features
VLAN assignment
The device can work with a RADIUS server to assign VLANs to 802.1X users. The device accepts untagged VLANs that are assigned through the RFC 3580-compliant Tunnel attributes and tagged VLANs that are assigned through the RFC 4675-compliant Egress-VLANID or Egress-VLAN-Name attribute.
NOTE: Access ports do not support RFC 4675-compliant assignment of VLANs. Trunk and hybrid ports support RFC 4675-compliant assignment of only tagged VLANs. | ||
Table 6 and Table 7 describes how the device handles VLANs assigned through a RADIUS server
Table 6: VLAN assignment in port-based access control mode
Link type | VLAN assignment |
---|---|
Access port | Sets the VLAN ID assigned through the Tunnel attributes as the PVID on the port. All subsequent users can access the network, regardless of their VLANs. When the authenticated user logs off, the previous PVID restores, and all users attached to the port cannot access the network. |
Trunk/hybrid port |
|
Table 7: VLAN assignment in MAC-based access control mode
Link type | VLAN assignment |
---|---|
Access | Sets the VLAN ID assigned through the Tunnel attributes to the first authenticated user as the PVID on the port. If a different VLAN is assigned to a subsequent user, the user cannot pass the authentication. To avoid the authentication failure of subsequent users, be sure to assign the same VLAN to all 802.1X users that are attached to an access port. |
Trunk |
|
Hybrid |
When a user logs off, the MAC-to-VLAN mapping for the user is removed. If MAC-based VLAN is enabled, the device does not replace the PVID on the port with a server assigned VLAN, regardless of whether the assignment is through Tunnel attributes or the Egress-VLANID attribute. |
On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed.
For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching Configuration Guide.
VLAN group assignment
Use VLAN group assignment to balance users across several VLANs.
VLAN group assignment allows the authentication server to assign a VLAN group to the access device for an 802.1X user. From this VLAN group, the device picks a VLAN for the 802.1X user in the following order:
Selects the VLAN that has the fewest number of online 802.1X users.
If a port performs port-based access control, all 802.1X users attached to the port are counted as one user.
If two VLANs have the same number of 802.1X users, the device selects the VLAN with the lower ID.
Guest VLAN
You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. After a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.
For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching Configuration Guide.
On a port that performs port-based access control
Authentication status | VLAN manipulation |
---|---|
No 802.1X user has performed authentication within 90 seconds after 802.1X is enabled | Assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the guest VLAN. If no 802.1X guest VLAN is configured, the access device does not perform any VLAN operation. |
A user in the 802.1X guest VLAN fails 802.1X authentication | If an 802.1X Auth-Fail VLAN (see "Auth-Fail VLAN") is available, assigns the Auth-Fail VLAN to the port as the PVID. All users on this port can access only resources in the Auth-Fail VLAN. If no Auth-Fail VLAN is configured, the PVID on the port is still the 802.1X guest VLAN. All users on the port are in the guest VLAN. |
A user in the 802.1X guest VLAN passes 802.1X authentication |
|
On a port that performs MAC-based access control
To use the 802.1X guest VLAN function on a port that performs MAC-based access control, make sure that the port is a hybrid port, and enable MAC-based VLAN on the port.
Authentication status | VLAN manipulation |
---|---|
A user has not passed 802.1X authentication yet | Creates a mapping between the MAC address of the user and the 802.1X guest VLAN. The user can access resources in the guest VLAN. |
A user in the 802.1X guest VLAN fails 802.1X authentication | If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN. If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X guest VLAN. |
A user in the 802.1X guest VLAN passes 802.1X authentication | Re-maps the MAC address of the user to the VLAN specified for the user. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial PVID on the port. |
NOTE: The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member. | ||
Auth-Fail VLAN
You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for authentication timeouts or network connection problems. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.
For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching Configuration Guide.
On a port that performs port-based access control
Authentication status | VLAN manipulation |
---|---|
A user fails 802.1X authentication | Assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the Auth-Fail VLAN. |
A user in the Auth-Fail VLAN fails 802.1X re-authentication | The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users on this port are in this VLAN. |
A user passes 802.1X authentication |
|
On a port that performs MAC-based access control
To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port.
Authentication status | VLAN manipulation |
---|---|
A user fails 802.1X authentication | Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN. |
A user in the Auth-Fail VLAN fails 802.1X re-authentication | The user is still in the Auth-Fail VLAN. |
A user in the Auth-Fail VLAN passes 802.1X authentication | Re-maps the MAC address of the user to the server-assigned VLAN. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial PVID on the port. |
NOTE: The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member. | ||
Critical VLAN
You configure an 802.1X critical VLAN on a port to accommodate 802.1X users that fail authentication because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users in the critical VLAN can access a limit set of network resources depending on your configuration.
The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about RADIUS configuration, see "Configuring AAA."
For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching Configuration Guide.
The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X access control mode.
On a port that performs port-based access control
Authentication status | VLAN manipulation |
---|---|
A user that has not been assigned to any VLAN fails 802.1X authentication because all the RADIUS servers are unreachable. | Assigns the critical VLAN to the port as the PVID. The 802.1X user and all subsequent 802.1X users on this port can access only resources in the critical VLAN. |
A user in the 802.1X critical VLAN fails authentication because all the RADIUS servers are unreachable. | The critical VLAN is still the PVID of the port, and all 802.1X users on this port are in this VLAN. |
A user in the 802.1X critical VLAN fails authentication for any other reason than server unreachable. | If an Auth-Fail VLAN has been configured, the PVID of the port changes to Auth-Fail VLAN ID, and all 802.1X users on this port are moved to the Auth-Fail VLAN. |
A user in the critical VLAN passes 802.1X authentication. |
|
A user in the 802.1X guest VLAN or the Auth-Fail VLAN fails authentication because all the RADIUS servers is reachable. | The PVID of the port remains unchanged. All 802.1X users on this port can access only resources in the guest VLAN or the Auth-Fail VLAN. |
On a port that performs MAC-based access control
To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port.
Authentication status | VLAN manipulation |
---|---|
A user that has not been assigned to any VLAN fails 802.1X authentication because all the RADIUS servers are unreachable. | Maps the MAC address of the user to the critical VLAN. The user can access only resources in the critical VLAN. |
A user in the 802.1X critical VLAN fails authentication because all the RADIUS servers are unreachable. | The user is still in the critical VLAN. |
A user in the critical VLAN fails 802.1X authentication for any other reason than server unreachable. | If an Auth-Fail VLAN has been configured, re-maps the MAC address of the user to the Auth-Fail VLAN ID. |
A user in the critical VLAN passes 802.1X authentication. | Re-maps the MAC address of the user to the server-assigned VLAN. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the default or user-configured PVID on the port. |
A user in the 802.1X guest VLAN or the Auth-Fail VLAN fails authentication because all the RADIUS server are unreachable. | The user remains in the 802.1X VLAN or the Auth-Fail VLAN. |
A user in the MAC authentication guest VLAN fails 802.1X authentication because all the 802.1X authentication server are unreachable. | The user is removed from the MAC authentication VLAN and mapped to the 802.1X critical VLAN. |
NOTE: The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member. | ||
Any of the following RADIUS authentication server changes in the ISP domain for 802.1X users on a port can cause the users to be removed from the critical VLAN:
An authentication server is added to the ISP domain and the server is reachable.
A response from a RADIUS authentication server is received.
The RADIUS server probing function detects that a RADIUS authentication server is reachable.
You can use the dot1x critical recovery-action reinitialize command to configure the port to trigger 802.1X re-authentication when the port or an 802.1X user on the port is removed from the critical VLAN.
If MAC-based access control is used, the port sends a unicast Identity EAP/Request to the 802.1X user to trigger authentication.
If port-based access control is used, the port sends a multicast Identity EAP/Request to the 802.1X users to trigger authentication.
ACL assignment
You can specify an ACL for an 802.1X user to control its access to network resources. After the user passes 802.1X authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the ACL on the access device. You can change ACL rules while the user is online.