Using
Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions
Syntax
aaa port-access gvrp-vlansEnables the use of dynamic VLANs (learned through GVRP) in the temporary untagged VLAN assigned by a RADIUS server on an authenticated port in an 802.1X, MAC, or Web authentication session. Enter the no form of this command to disable the use of GVRPlearned VLANs in an authentication session. For information on how to enable a switch to dynamically create 802.1Q-compliant VLANs, see “GVRP” in the advanced traffic management guide.
NOTE:
If a port is assigned as a member of an untagged dynamic VLAN, the dynamic VLAN configuration must exist at the time of authentication and GVRP for port-access authentication must be enabled on the switch. If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch, the authentication fails.
After you enable dynamic VLAN assignment in an authentication session, it is recommended that you use the interface unknown-vlans command on a per-port basis to prevent denial-of-service attacks. The interface unknown-vlans command allows you to:
Disable the port from sending advertisements of existing GVRP-created VLANs on the switch.
Drop all GVRP advertisements received on the port. See “GVRP” in the advanced traffic management guide.
If you disable the use of dynamic VLANs in an authentication session using the no aaa port-access gvrp-vlans command, client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated. (This behavior differs form how static VLAN assignment is handled in an authentication session. If you remove the configuration of the static VLAN used to create a temporary client session, the 802.1X, MAC, or Web authenticated client is deauthenticated.) However, if a RADIUS-configured dynamic VLAN used for an authentication session is deleted from the switch through normal GVRP operation (for example, if no GVRP advertisements for the VLAN are received on any switch port), authenticated clients using this VLAN are deauthenticated.
Any port VLAN-ID changes you make on 802.1X-aware ports during an 802.1X-authenticated session do not take effect until the session ends. With GVRP enabled, a temporary, untagged static VLAN assignment created on a port by 802.1X authentication is advertised as an existing VLAN. If this temporary VLAN assignment causes the switch to disable a configured (untagged) static VLAN assignment on the port, then the disabled VLAN assignment is not advertised. When the 802.1X session ends, the switch:
Eliminates and ceases to advertise the temporary VLAN assignment.
Re-activates and resumes advertising the temporarily disabled VLAN assignment
Tagged and untagged VLAN attributes
To configure a user profile on a RADIUS server
and assign a VLAN to an authenticated client, you can use either the
VLAN's name or VLAN ID (VID) number. For example, if a VLAN configured
in the switch has a VID of 100 and is named vlan100,
you could configure the RADIUS server to use either "100"
or "vlan100" to specify the VLAN.
After the RADIUS server validates a client's user name and password, the RADIUS server returns an Access-Accept packet that contains the VLAN assignment and the following attributes for use in the authentication session:
hp-egress-vlan-id(64): Configures an optional, egress VLAN ID for either tagged or untagged packets.hp-egress-vlan-name(65): Configures an optional, egress VLAN for either tagged or untagged packets when the VLAN ID is not known.Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID: Tunnel attributes that specify an untagged VLAN assignment (RFC 3580).
![[NOTE: ]](images/note.gif) | NOTE: You must use only the VLAN ID or the VLAN name for a given VLAN. |
Alternate HPE VSAs
| RADIUS Attribute | Times Used | Description | Value String | Value |
|---|---|---|---|---|
HP-Egress-VLANID (11.64) |
1-* | Alternate VSA for Egress-VLANID | – | <tagged/untagged(0x31
or 0x32)>000<VLAN_ID (as hex)> |
HP-Egress-VLAN-Name (11.65) |
1-* | Alternate VSA for Egress-VLAN-Name | – | <tagged/untagged(1 or 2)><VLAN
Name String> |
The value of Egress-VLANID is
a bit string, the first 8 bits specify whether the VLAN is tagged
or untagged and must be either 0x31 (tagged) or 0x32 (untagged). The
next 12 bits are padding 0x000, and the final 12 bits are the VLAN
ID as an integer value. For example the value to set VLAN 17 as a
tagged egress VLAN would be 0x31000011.
Tunnel (untagged VLAN) attributes may be included
in the same RADIUS packet as the Egress-VLANID and Egress-VLAN-Name attributes.
These attributes are not mutually exclusive. The switch processes
the VLAN information returned from the remote RADIUS server for each
successfully 802.1X-, web-based, and MAC authenticated client (user).
The VLAN information is part of the user's profile stored in the RADIUS
server's database and is applied if the VLANs exist on the switch.
The support for RADIUS-assigned tagged and untagged VLAN configuration on an authenticated port allows you to use IDM to dynamically configure tagged and untagged VLANs as required for different client devices, such as PCs and IP phones, that share the same switch port.