Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x

971

972

973

974

975

976

977

978

979

980

938 PowerConnect B-Series TI24X Configuration Guide

53-1002269-02

Configuring 802.1X port security

Configuring dynamic VLAN assignment for 802.1X ports

When a client successfully completes the EAP authentication process, the Authentication Server

(the RADIUS server) sends the Authenticator (the Dell device) a RADIUS Access-Accept message

that grants the client access to the network. The RADIUS Access-Accept message contains

attributes set for the user in the user's access profile on the RADIUS server.

If one of the attributes in the Access-Accept message specifies a VLAN identifier, and if this VLAN is

available on the Dell device, the client port is moved from its default VLAN to this specified VLAN.

NOTE

This feature is supported on port-based VLANs only. This feature cannot be used to place an

802.1X-enabled port into a Layer 3 protocol VLAN.

Automatic removal of dynamic VLAN assignments for 802.1X ports

For increased security, this feature removes any association between a port and a

dynamically-assigned VLAN when all 802.1x sessions for that VLAN have expired on the port.

NOTE

When a show run command is issued during a session, the dynamically-assigned VLAN is not

displayed.

Enable 802.1X VLAN ID support by adding the following attributes to a user profile on the RADIUS

server.

The device reads the attributes as follows:

• If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do not

have the values specified above, the Dell device ignores the three Attribute-Value pairs. The

client becomes authorized, but the client port is not dynamically placed in a VLAN.

• If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do have

the values specified above, but there is no value specified for the Tunnel-Private-Group-ID

attribute, the client will not become authorized.

• When the Dell device receives the value specified for the Tunnel-Private-Group-ID attribute, it

checks whether the <vlan-name> string matches the name of a VLAN configured on the

device. If there is a VLAN on the device whose name matches the <vlan-name> string, then

the client port is placed in the VLAN whose ID corresponds to the VLAN name.

• If the <vlan-name> string does not match the name of a VLAN, the Dell device checks whether

the string, when converted to a number, matches the ID of a VLAN configured on the device. If

it does, then the client port is placed in the VLAN with that ID.

• If the <vlan-name> string does not match either the name or the ID of a VLAN configured on

the device, then the client will not become authorized.

Table 6:

Attribute name Type Value

Tunnel-Type 064 13 (decimal) – VLAN

Tunnel-Medium-Type 065 6 (decimal) – 802

Tunnel-Private-Group-ID 081 <vlan-name> (string) – either the name or the number of a VLAN

configured on the Dell device.