Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N1500 Series
281282283284285286287288289290
Authentication, Authorization, and Accounting 283
VLAN. Host that do not attempt authentication may be placed into an
unauthenticated VLAN. The network administrator can configure the type of
access provided to the authenticated, guest, and unauthenticated VLANs.
Much of the configuration to assign authenticated hosts to a particular VLAN
takes place on the 802.1X authenticator server (for example, a RADIUS
server). If an external RADIUS server is used to manage VLANs, configure the
server to use Tunnel attributes in Access-Accept messages in order to inform
the switch about the selected VLAN. These attributes are defined in RFC
2868 and their use for dynamic VLAN is specified in RFC 3580.
The VLAN attributes defined in RFC3580 and required for VLAN
assignment via RADIUS are as follows:
Tunnel-Type (64) = VLAN (13)
Tunnel-Medium-Type (65) = 802 (6)
Tunnel-Private-Group-ID (81) = VLANID
The tag value for the Tunnel-Private-Group-ID is parsed as the length of the
VLAN ID. The VLAN ID may consist of a VLAN name (not to exceed 32
characters) or a numeric value in ASCII (no alphabetic characters are
allowed) in the range 1–4093.
Dynamic VLAN Creation
If RADIUS-assigned VLANs are enabled though the Authorization Network
RADIUS configuration option, the RADIUS server is expected to include the
VLAN ID in the 802.1X tunnel attributes of its response message to the
switch. If dynamic VLAN creation is enabled on the switch and the RADIUS-
assigned VLAN does not exist, then the assigned VLAN is dynamically
created and the port is made a member of the VLAN. If the VLAN is already
created on the switch, the port is simply made a member of the VLAN. This
implies that the client can connect from any port and be assigned to the
appropriate VLAN based on the RADIUS server configuration. This gives
flexibility for clients to move around the network without much additional
configuration required on the switches in the network. Dynamic VLAN
assignment requires that the port be configured in general mode if the port
authentication mode is MAC-based and be configured in general or access
mode if the port authentication mode is auto.