VLAN assignment

Authorization VLAN

The device uses the authorization VLAN to control the access of a MAC authentication user to authorized network resources.

The device supports the following VLAN authorization methods:

Table 9 describes the way the network access device handles authorization VLANs for MAC authenticated users.

Table 10: VLAN manipulation

Port type

VLAN manipulation

  • Access port

  • Trunk port

  • Hybrid port with MAC-based-VLAN disabled

NOTE:

  • If the port is assigned to the authorization VLAN as an untagged member, the device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. All MAC authentication users on the port must be assigned the same authorization VLAN. If a different authorization VLAN is assigned to a subsequent user, the user cannot pass MAC authentication.

  • If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change. The device maps the MAC address of each user to its own authorization VLAN.

An access port can be assigned to an authorization VLAN only as an untagged VLAN member.

Hybrid port with MAC-based VLAN enabled

The device maps the MAC address of each user to its own authorization VLAN regardless of whether the port is a tagged member. The PVID of the port does not change.


[IMPORTANT: ]

IMPORTANT:

  • MAC authentication support for tagged VLAN assignment is available in Release 1121 and later.

  • As a best practice, always assign a hybrid port to a VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.


  • Guest VLAN

    You can configure a MAC authentication guest VLAN on a port to accommodate users that have failed MAC authentication on the port. Users in the MAC authentication guest VLAN can access a limited set of network resources, such as a software server, to download software and system patches. If no MAC authentication guest VLAN is configured, the users that have failed MAC authentication cannot access any network resources.

    A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.

    Table 10 shows the way that the network access device handles guest VLANs for MAC authentication users.

    Table 11: VLAN manipulation

    Authentication status

    VLAN manipulation

    A user in the MAC authentication guest VLAN fails MAC authentication for any other reason than server unreachable.

    The user is still in the MAC authentication guest VLAN.

    A user in the MAC authentication guest VLAN passes MAC authentication.

    The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server.

    If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the port.

    Critical VLAN

    You can configure a MAC authentication critical VLAN on a port to accommodate users that fail MAC authentication because no RADIUS authentication server is reachable. Users in a MAC authentication critical VLAN can access only network resources in the critical VLAN.

    The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA."

    Table 11 shows the way that the network access device handles critical VLANs for MAC authentication users.

    Table 12: VLAN manipulation

    Authentication status

    VLAN manipulation

    A user that has not been assigned to any VLAN fails MAC authentication because all the RADIUS servers are unreachable.

    The device maps the MAC address of the user to the MAC authentication critical VLAN.

    The user is still in the MAC authentication critical VLAN if the user fails MAC reauthentication because all the RADIUS servers are unreachable.

    A user in the MAC authentication critical VLAN fails MAC authentication for any other reason than server unreachable.

    If a guest VLAN has been configured, the device maps the MAC address of the user to the guest VLAN.

    If no guest VLAN is configured, the device remaps the MAC address of the user to the PVID of the port.

    A user in the MAC authentication critical VLAN passes MAC authentication.

    The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server.

    If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the access port.