Configuration manual
User Authentication Overview
Fixed Switch Configuration Guide 10-9
Dynamic VLAN Assignment
The RADIUS server may optionally include RADIUS tunnel attributes in a RADIUS
Access-Accept message for dynamic VLAN assignment of the authenticated end system.
RFC 3580’s RADIUS tunnel attributes are often configured on a RADIUS server to dynamically
assign users belonging to the same organizational group within an enterprise to the same VLAN,
or to place all offending users according to the organization’s security policy in a Quarantine
VLAN. Tunnel attributes are deployed for enterprises that have end system authentication
configured on the network. For example, all engineers can be dynamically assigned to the same
VLAN upon authentication, while sales are assigned to another VLAN upon authentication.
The name of the feature on Enterasys platforms that implements dynamic VLAN assignment
through the receipt of RADIUS tunnel attributes is VLAN authorization. VLAN authorization
depends upon receipt of the RFC 3580 RADIUS tunnel attributes in RADIUS Access-Accept
messages. VLAN authorization must be enabled globally and on a per-port basis for the Tunnel
attributes to be processed. When disabled per port or globally, the device will not process Tunnel
attributes.
By default, all policy-capable Enterasys platforms will dynamically assign a policy profile to the
port of an authenticating user based on the receipt of the Filter-ID RADIUS attribute. This is not
the case for RADIUS tunnel attributes in that, by default, VLAN authorization is disabled.
VLAN Authorization Attributes
Three Tunnel attributes are used for dynamic VLAN Authorization:
• Tunnel-Type attribute (Type=64, Length=6, Tag=0, Value=0x0D for VLAN)
• Tunnel-Medium-Type attribute (Type=65, Length=6, Tag=0, Value=0x06 for 802 media)
• Tunnel-Private-Group-ID attribute (Type=81, Length>=3, String=VID in ASCII)
The Tunnel-Type attribute indicates the tunneling protocol to be used when this attribute is
formatted in RADIUS Access-Request messages, or the tunnel protocol in use when this attribute
is formatted in RADIUS Access-Accept messages. Set Tunnel-Type attribute parameters as
follows:
• Type: Set to 64 for Tunnel-Type RADIUS attribute
• Length: Set to 6 for six-byte length of this RADIUS attribute
• Tag: Provides a means of grouping attributes in the same packet which refer to the same
tunnel. Valid values for this field are from 0x01 through 0x1F, inclusive. Set to 0 if unused.
Unless alternative tunnel types are provided, it is only necessary for tunnel attributes to
specify a single tunnel. As a result, where it is only desired to specify the VLAN-ID, the tag
field should be set to zero (0x00) in all tunnel attributes.
• Value: Indicates the type of tunnel. A value of 0x0D (decimal 13) indicates that the tunneling
protocol is a VLAN.
Tunnel-Medium-Type indicates the transport medium to use when creating a tunnel for the
tunneling protocol, determined from Tunnel-Type attribute. Set Tunnel-Medium-Type attribute
parameters as follows:
• Type: Set to 65 for Tunnel-Medium-Type RADIUS attribute
• Length: Set to 6 for six-byte length of this RADIUS attribute
• Tag: Provides a means of grouping attributes in the same packet which refer to the same
tunnel. Valid value for this field are 0x01 through 0x1F, inclusive. Set to 0 if unused. Unless
alternative tunnel types are provided, it is only necessary for tunnel attributes to specify a
single tunnel. As a result, where it is only desired to specify the VLANID, the tag field should
be set to zero (0x00) in all tunnel attributes.