Authorization VLAN
The authorization VLAN controls the access of an 802.1X user to authorized network resources. The device supports authorization VLANs assigned locally or by a remote server. Only remote servers can assign tagged authorization VLANs.
Remote VLAN authorization
In remote VLAN authorization, you must specify authorization VLAN information on the remote server. After the user passes authentication, the server assigns the information to the device. The device resolves the authorization VLAN information and assigns the user's access port to the authorization VLAN as a tagged or untagged member. If the resolution fails, the user fails authentication.
The device can resolve the following formats of VLANs assigned by the remote server:
VLAN ID.
VLAN name.
The VLAN name represents the VLAN description on the access device.
Combination of VLAN IDs and VLAN names.
In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names.
VLAN group name.
For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.
VLAN ID with suffix.
The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members or not. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members.
NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment. | ||
The device cannot resolve the following types of VLANs assigned by the remote server:
Dynamically-learned VLANs.
Nonexistent VLANs.
Reserved VLANs.
Super VLANs.
Private VLANs.
If the server assigns a group of VLANs, the access device selects and assigns a VLAN according to the VLAN ID format. Table 6 describes the authorization VLAN selection and assignment rules from a group of VLANs.
Table 6: Authorization VLAN selection and assignment from a group of VLANs
Types of VLANs | Authorization VLAN selection and assignment rules |
---|---|
| If the 802.1X-enabled port performs MAC-based access control, the device selects a VLAN to be the authorization VLAN of a user, depending on whether the port has other online users:
If the 802.1X-enabled port performs port-based access control, the device selects the VLAN with the lowest ID from the group of VLANs. All subsequent 802.1X users are assigned to the VLAN. |
VLAN IDs with suffixes |
For example, the authentication server sends the string 1u 2t 3 to the access device for a user. The device assigns VLAN 1 as an untagged VLAN and other VLANs as tagged VLANs. VLAN 1 becomes the PVID. |
NOTE: Assign VLAN IDs with suffixes only to hybrid or trunk ports that perform port-based access control. | ||
Local VLAN authorization
The authorization VLAN of an 802.1X user is specified in user view or user group view in the form of VLAN ID on the device. The port through which the user accesses the device is assigned to the VLAN as an untagged member. Tagged VLAN assignment is not supported.
For more information about local user configuration, see "Configuring AAA."
Authorization VLAN manipulation for an 802.1X-enabled port
Table 7 describes how the access device handles VLANs (except for the VLANs specified with suffixes) on an 802.1X-enabled port.
Table 7: VLAN manipulation
Port access control method | VLAN manipulation |
---|---|
Port-based | The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication. If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID. If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change. |
MAC-based |
|
IMPORTANT:
| ||
For an 802.1X authenticated user to access the network on a hybrid port when no authorization VLANs are assigned to the user, perform one of the following tasks:
If the port receives tagged authentication packets from the user in a VLAN, use the port hybrid vlan command to configure the port as a tagged member in the VLAN.
If the port receives untagged authentication packets from the user in a VLAN, use the port hybrid vlan command to configure the port as an untagged member in the VLAN.
On a port with periodic online user reauthentication enabled, the MAC-based VLAN feature does not take effect on a user that has been online since before this feature was enabled. The access device creates a MAC-to-VLAN mapping for the user when the following requirements are met:
The user passes reauthentication.
The authorization VLAN for the user is changed.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide.