VLAN assignment
Authorization VLAN
The device uses the authorization VLAN to control the access of a MAC authentication user to authorized network resources.
The device supports the following VLAN authorization methods:
Remote VLAN authorization—The authorization VLAN information of a MAC authentication user is assigned by a remote server. The device can resolve server-assigned VLANs in the form of VLAN ID or VLAN name.
The port through which the user accesses the device is assigned to the authorization VLAN as a tagged or untagged member.
Local VLAN authorization—The authorization VLAN of a MAC authentication user is specified in user view or user group view in the form of VLAN ID on the device.
The port through which the user accesses the device is assigned to the VLAN as an untagged member. Tagged VLAN assignment is not supported.
For more information about local authorization VLAN configuration, see "Configuring AAA."
Table 9 describes the way the network access device handles authorization VLANs for MAC authenticated users.
Table 10: VLAN manipulation
Port type | VLAN manipulation | |
---|---|---|
| NOTE: |
An access port can be assigned to an authorization VLAN only as an untagged VLAN member. |
Hybrid port with MAC-based VLAN enabled | The device maps the MAC address of each user to its own authorization VLAN regardless of whether the port is a tagged member. The PVID of the port does not change. |
IMPORTANT: MAC authentication support for tagged VLAN assignment is available in Release 1121 and later. As a best practice, always assign a hybrid port to a VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN. | ||
Guest VLAN
You can configure a MAC authentication guest VLAN on a port to accommodate users that have failed MAC authentication on the port. Users in the MAC authentication guest VLAN can access a limited set of network resources, such as a software server, to download software and system patches. If no MAC authentication guest VLAN is configured, the users that have failed MAC authentication cannot access any network resources.
A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.
Table 10 shows the way that the network access device handles guest VLANs for MAC authentication users.
Table 11: VLAN manipulation
Authentication status | VLAN manipulation |
---|---|
A user in the MAC authentication guest VLAN fails MAC authentication for any other reason than server unreachable. | The user is still in the MAC authentication guest VLAN. |
A user in the MAC authentication guest VLAN passes MAC authentication. | The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server. If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the port. |
Critical VLAN
You can configure a MAC authentication critical VLAN on a port to accommodate users that fail MAC authentication because no RADIUS authentication server is reachable. Users in a MAC authentication critical VLAN can access only network resources in the critical VLAN.
The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA."
Table 11 shows the way that the network access device handles critical VLANs for MAC authentication users.
Table 12: VLAN manipulation
Authentication status | VLAN manipulation |
---|---|
A user that has not been assigned to any VLAN fails MAC authentication because all the RADIUS servers are unreachable. | The device maps the MAC address of the user to the MAC authentication critical VLAN. The user is still in the MAC authentication critical VLAN if the user fails MAC reauthentication because all the RADIUS servers are unreachable. |
A user in the MAC authentication critical VLAN fails MAC authentication for any other reason than server unreachable. | If a guest VLAN has been configured, the device maps the MAC address of the user to the guest VLAN. If no guest VLAN is configured, the device remaps the MAC address of the user to the PVID of the port. |
A user in the MAC authentication critical VLAN passes MAC authentication. | The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server. If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the access port. |