Users Guide
318 Authentication, Authorization, and Accounting
• The host attempts to authenticate but fails because it lacks certain
security credentials.
• The host does not try to authenticate at all (802.1X unaware).
Three separate VLANs can be created on the switch to handle a host
depending on whether the host authenticates, fails the authentication, or
does not attempt authentication. The RADIUS server informs the switch of
the selected VLAN as part of the authentication.
RADIUS VLAN Assignment
Hosts that authenticate normally are assigned to a VLAN that includes access
to network resources. In some cases, the administrator may use a default
VLAN that restricts network access. In these cases, the VLAN may be
assigned by the RADIUS server for ports configured in multi-host or multi-
domain-multi-host modes. Hosts that fail authentication may be denied
access to the network or placed into an unauthenticated VLAN, if configured.
Hosts that do not attempt authentication may be placed into a guest VLAN,
if configured. The network administrator can configure the type of access
provided to the authenticated, guest, and unauthenticated VLANs.
Much of the configuration to assign authenticated hosts to a particular VLAN
takes place on the 802.1X authenticator server (for example, a RADIUS
server). If an external RADIUS server is used to manage VLANs, configure the
server to use Tunnel attributes in Access-Accept messages in order to inform
the switch about the selected VLAN. These attributes are defined in RFC
2868 and their use for dynamic VLAN is specified in RFC 3580.
The VLAN attributes defined in RFC3580 and required for VLAN
assignment via RADIUS are as follows:
• Tunnel-Type (64) = VLAN (13)
• Tunnel-Medium-Type (65) = 802 (6)
• Tunnel-Private-Group-ID (81) = VLANID
The tag value for the Tunnel-Private-Group-ID is parsed as the length of the
VLAN ID. The VLAN ID may consist of a VLAN name (not to exceed 32
characters) or a numeric value in ASCII (no alphabetic characters are
allowed) in the range 1–4093.