Users Guide

Authentication, Authorization, and Accounting 341

Controlling Authentication-Based VLAN Assignment

The network in this example uses three VLANs to control access to network

resources. When a client connects to the network, it is assigned to a particular

VLAN based on one of the following events:

• It attempts to contact the 802.1X server and is authenticated.

• It attempts to contact the 802.1X server and fails to authenticate.

• It does not attempt to contact the 802.1X server.

The following table describes the three VLANs:

The commands in this example show how to configure the switch to control

VLAN assignment for the example network. This example also contains

commands to configure the uplink, or trunk, port (a port connected to a

router or the internal network), and to configure the downlink, or access,

ports (ports connected to one or more hosts). Ports 1–23 are downstream

ports. Port 24 is an uplink port. An external RADIUS server handles the

VLAN assignment.

VLAN ID VLAN Name VLAN Purpose

100 Authorized Data from authorized clients

200 Unauthorized Data traffic from clients that fail the authentication

with the RADIUS server

300 Guest Data traffic from clients that do not attempt to

authenticate with the RADIUS server

NOTE: Dynamic VLAN creation applies only to authorized ports. The VLANs for

unauthorized and guest users must be configured on the switch and cannot be

dynamically created based on RADIUS-based VLAN assignment.

NOTE: RADIUS VLAN assignment is supported for all port modes other than

trunk mode.

NOTE: The configuration to control the VLAN assignment for authorized users is

done on the external RADIUS server.