VLAN assignment

Authorization VLAN

The authorization VLAN controls the access of a MAC authentication user to authorized network resources. The device supports authorization VLANs assigned locally or by a remote server. Only remote servers can assign tagged authorization VLANs.

Remote VLAN authorization

In remote VLAN authorization, you must specify authorization VLAN information on the remote server. After the user passes authentication, the server assigns the information to the device. The device resolves the authorization VLAN information and assigns the user's access port to the authorization VLAN as a tagged or untagged member. If the resolution fails, the user fails authentication.

The device can resolve the following formats of VLANs assigned by the remote server:

VLAN ID.
VLAN name.
The VLAN name represents the VLAN description on the access device.
Combination of VLAN IDs and VLAN names.
In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names.
VLAN group name.
For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.
VLAN ID with suffix.
The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members or not. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members.

NOTE:

The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment.

The device cannot resolve the following types of VLANs assigned by the remote server:

Dynamically-learned VLANs.
Nonexistent VLANs.
Reserved VLANs.
Super VLANs.
Private VLANs.

If the server assigns a group of VLANs, the access device selects and assigns a VLAN according to the VLAN ID format. Table 11 describes the authorization VLAN selection and assignment rules from a group of VLANs.

Table 11: Authorization VLAN selection and assignment from a group of VLANs

Types of VLANs	Authorization VLAN selection and assignment rules
VLANs by IDs VLANs by names VLAN group name	The device selects a VLAN to be the authorization VLAN of a user, depending on whether the port has other online users: If the port does not have other online users, the device selects the VLAN with the lowest ID from the group of VLANs. If the port has other online users, the following rules apply: If MAC-based VLAN is enabled, the device selects the VLAN that has the fewest number of online users. If two VLANs have the same number of online 802.1X users, the device selects the VLAN with the lower ID. If MAC-based VLAN is disabled, the device examines whether the VLAN that has online users is in the group of VLANs. If the VLAN is found in the group, the VLAN is assigned to the user as the authorization VLAN. If the VLAN is not found in the group, the VLAN authorization fails.
VLAN IDs with suffixes	The device selects the leftmost VLAN ID without a suffix, or the leftmost VLAN ID suffixed by u as an untagged VLAN, whichever is more leftmost. The device assigns the untagged VLAN to the port as the PVID, and it assigns the remaining as tagged VLANs. If no untagged VLAN is assigned, the PVID of the port does not change. The port permits traffic from these tagged and untagged VLANs to pass through. For example, the authentication server sends the string 1u 2t 3 to the access device for a user. The device assigns VLAN 1 as an untagged VLAN and other VLANs as tagged VLANs. VLAN 1 becomes the PVID.

Types of VLANs

Authorization VLAN selection and assignment rules

VLANs by IDs
VLANs by names
VLAN group name

The device selects a VLAN to be the authorization VLAN of a user, depending on whether the port has other online users:

If the port does not have other online users, the device selects the VLAN with the lowest ID from the group of VLANs.
If the port has other online users, the following rules apply:
- If MAC-based VLAN is enabled, the device selects the VLAN that has the fewest number of online users. If two VLANs have the same number of online 802.1X users, the device selects the VLAN with the lower ID.
- If MAC-based VLAN is disabled, the device examines whether the VLAN that has online users is in the group of VLANs. If the VLAN is found in the group, the VLAN is assigned to the user as the authorization VLAN. If the VLAN is not found in the group, the VLAN authorization fails.

VLAN IDs with suffixes

The device selects the leftmost VLAN ID without a suffix, or the leftmost VLAN ID suffixed by u as an untagged VLAN, whichever is more leftmost.
The device assigns the untagged VLAN to the port as the PVID, and it assigns the remaining as tagged VLANs. If no untagged VLAN is assigned, the PVID of the port does not change. The port permits traffic from these tagged and untagged VLANs to pass through.

For example, the authentication server sends the string 1u 2t 3 to the access device for a user. The device assigns VLAN 1 as an untagged VLAN and other VLANs as tagged VLANs. VLAN 1 becomes the PVID.

NOTE:

Assign VLAN IDs with suffixes only to hybrid or trunk ports.

Local VLAN authorization

The authorization VLAN of a MAC authentication user is specified in user view or user group view in the form of VLAN ID on the device. The port through which the user accesses the device is assigned to the VLAN as an untagged member. Tagged VLAN assignment is not supported.

For more information about local user configuration, see "Configuring AAA."

Authorization VLAN manipulation for a MAC authentication-enabled port

Table 12 describes the way the network access device handles authorization VLANs (except for the VLANs specified with suffixes) for MAC authenticated users.

Table 12: VLAN manipulation

Port type	VLAN manipulation
Access port Trunk port Hybrid port with MAC-based-VLAN disabled	NOTE:	If the port is assigned to the authorization VLAN as an untagged member, the device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. All MAC authentication users on the port must be assigned the same authorization VLAN. If a different authorization VLAN is assigned to a subsequent user, the user cannot pass MAC authentication. If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change. The device maps the MAC address of each user to its own authorization VLAN. An access port can be assigned to an authorization VLAN only as an untagged VLAN member.
Hybrid port with MAC-based VLAN enabled	The device maps the MAC address of each user to its own authorization VLAN regardless of whether the port is a tagged member. The PVID of the port does not change.

Port type

VLAN manipulation

Access port
Trunk port
Hybrid port with MAC-based-VLAN disabled

NOTE:

If the port is assigned to the authorization VLAN as an untagged member, the device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. All MAC authentication users on the port must be assigned the same authorization VLAN. If a different authorization VLAN is assigned to a subsequent user, the user cannot pass MAC authentication.
If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change. The device maps the MAC address of each user to its own authorization VLAN.

An access port can be assigned to an authorization VLAN only as an untagged VLAN member.

Hybrid port with MAC-based VLAN enabled

The device maps the MAC address of each user to its own authorization VLAN regardless of whether the port is a tagged member. The PVID of the port does not change.

IMPORTANT:

As a best practice, always assign a hybrid port to a VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.

For a MAC authenticated user to access the network on a hybrid port when no authorization VLANs are assigned to the user, perform either of the following tasks:

If the port receives tagged authentication packets from the user in a VLAN, use the port hybrid vlan command to configure the port as a tagged member in the VLAN.
If the port receives untagged authentication packets from the user in a VLAN, use the port hybrid vlan command to configure the port as an untagged member in the VLAN.

Guest VLAN

The MAC authentication guest VLAN on a port accommodates users that have failed MAC authentication for any reason other than server unreachable. For example, the VLAN accommodates users with invalid passwords entered.

You can deploy a limited set of network resources in the MAC authentication guest VLAN. For example, a software server for downloading software and system patches.

A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.

The device reauthenticates users in the MAC authentication guest VLAN at a specific interval. Table 13 shows the way that the network access device handles guest VLANs for MAC authentication users.

Table 13: VLAN manipulation

Authentication status	VLAN manipulation
A user in the MAC authentication guest VLAN fails MAC authentication for any reason other than server unreachable.	The user is still in the MAC authentication guest VLAN.
A user in the MAC authentication guest VLAN passes MAC authentication.	The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server. If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the port.

Authentication status

VLAN manipulation

A user in the MAC authentication guest VLAN fails MAC authentication for any reason other than server unreachable.

The user is still in the MAC authentication guest VLAN.

A user in the MAC authentication guest VLAN passes MAC authentication.

The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server.

If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the port.

Critical VLAN

The MAC authentication critical VLAN on a port accommodates users that have failed MAC authentication because no RADIUS authentication servers are reachable. Users in a MAC authentication critical VLAN can access only network resources in the critical VLAN.

The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA."

Table 14 shows the way that the network access device handles critical VLANs for MAC authentication users.

Table 14: VLAN manipulation

Authentication status	VLAN manipulation
A user fails MAC authentication because all the RADIUS servers are unreachable.	The device maps the MAC address of the user to the MAC authentication critical VLAN. The user is still in the MAC authentication critical VLAN if the user fails MAC reauthentication because all the RADIUS servers are unreachable. If no MAC authentication critical VLAN is configured, the device maps the MAC address of the user to the PVID of the port.
A user in the MAC authentication critical VLAN fails MAC authentication for any reason other than server unreachable.	If a guest VLAN has been configured, the device maps the MAC address of the user to the guest VLAN. If no guest VLAN is configured, the device maps the MAC address of the user to the PVID of the port.
A user in the MAC authentication critical VLAN passes MAC authentication.	The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server. If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the access port.

Authentication status

VLAN manipulation

A user fails MAC authentication because all the RADIUS servers are unreachable.

The device maps the MAC address of the user to the MAC authentication critical VLAN.

The user is still in the MAC authentication critical VLAN if the user fails MAC reauthentication because all the RADIUS servers are unreachable.

If no MAC authentication critical VLAN is configured, the device maps the MAC address of the user to the PVID of the port.

A user in the MAC authentication critical VLAN fails MAC authentication for any reason other than server unreachable.

If a guest VLAN has been configured, the device maps the MAC address of the user to the guest VLAN.

If no guest VLAN is configured, the device maps the MAC address of the user to the PVID of the port.

A user in the MAC authentication critical VLAN passes MAC authentication.

The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server.

If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the access port.

Critical voice VLAN

The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable.

The critical voice VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication voice user fails local authentication after RADIUS authentication, the user is not assigned to the critical voice VLAN. For more information about the authentication methods, see "Configuring AAA."

Table 15 shows the way that the network access device handles critical voice VLANs for MAC authentication voice users.

Table 15: VLAN manipulation

Authentication status	VLAN manipulation
A voice user fails MAC authentication because all the RADIUS servers are unreachable.	The device maps the MAC address of the voice user to the MAC authentication critical voice VLAN. The voice user is still in the MAC authentication critical voice VLAN if the voice user fails MAC reauthentication because all the RADIUS servers are unreachable. If no MAC authentication critical voice VLAN is configured, the device maps the MAC address of the voice user to the PVID of the port.
A voice user in the MAC authentication critical voice VLAN fails MAC authentication for any reason other than server unreachable.	If a guest VLAN has been configured, the device maps the MAC address of the voice user to the guest VLAN. If no guest VLAN is configured, the device maps the MAC address of the voice user to the PVID of the port.
A voice user in the MAC authentication critical voice VLAN passes MAC authentication.	The device remaps the MAC address of the voice user to the authorization VLAN assigned by the authentication server. If no authorization VLAN is configured for the voice user on the authentication server, the device remaps the MAC address of the voice user to the PVID of the access port.

Authentication status

VLAN manipulation

A voice user fails MAC authentication because all the RADIUS servers are unreachable.

The device maps the MAC address of the voice user to the MAC authentication critical voice VLAN.

The voice user is still in the MAC authentication critical voice VLAN if the voice user fails MAC reauthentication because all the RADIUS servers are unreachable.

If no MAC authentication critical voice VLAN is configured, the device maps the MAC address of the voice user to the PVID of the port.

A voice user in the MAC authentication critical voice VLAN fails MAC authentication for any reason other than server unreachable.

If a guest VLAN has been configured, the device maps the MAC address of the voice user to the guest VLAN.

If no guest VLAN is configured, the device maps the MAC address of the voice user to the PVID of the port.

A voice user in the MAC authentication critical voice VLAN passes MAC authentication.

The device remaps the MAC address of the voice user to the authorization VLAN assigned by the authentication server.

If no authorization VLAN is configured for the voice user on the authentication server, the device remaps the MAC address of the voice user to the PVID of the access port.

prev	up	next
Authentication methods	home	VSI manipulation