Users Guide
Authentication, Authorization, and Accounting 325
Dynamic VLAN Creation
If RADIUS-assigned VLANs are enabled though the Authorization Network
RADIUS configuration option, the RADIUS server is expected to include the
VLAN ID in the 802.1X tunnel attributes of its response message to the
switch. If dynamic VLAN creation is enabled on the switch and the RADIUS-
assigned VLAN does not exist, then the assigned VLAN is dynamically
created and the port PVID or native VLAN is set to the RADIUS-assigned
VLAN ID. Trunk mode ports are also made members of the created VLAN.
If the VLAN is already created on the switch, the port PVID or native VLAN
is set to the VLAN ID. This implies that the client can connect from any port
and be assigned to the appropriate VLAN based on the RADIUS server
configuration. This gives flexibility for clients to move around the network
without much additional configuration required on the switches in the
network. Dynamic VLAN assignment requires that the port be configured in
general or access mode.
Unauthenticated VLAN
The network administrator may choose to configure an unauthenticated
VLAN. Hosts that attempt authentication and fail are placed in the
unauthenticated VLAN, if configured.
The 802.1X state machine implements the Held timer (per IEEE 802.1X-
2010) and will not place the host in the unauthenticated VLAN until the
timer expires.
Once in the unauthenticated VLAN, authentication is not reattempted until:
• the re-authentication timer expires
• the supplicant disconnects from the port
• the port is shut down and re-enabled
The number of re-authentication failures required to place a supplicant in the
unauthenticated VLAN is not configurable.
The network administrator can configure the unauthenticated VLAN to
provide the desired level of network access, i.e., a black hole or a guest VLAN
type of access.