AT-9000 Switch Command Line User’s Guide
947
Supplicant and VLAN Associations
One of the challenges to managing a network is accommodating end
users who roam. These are individuals whose work requires that they
access the network resources from different points at different times. The
difficulty arises in providing them with access to the same network
resources and, conversely, restricting them from unauthorized areas,
regardless of the workstation from where they access the network. A
closely related issue is where a workstation is employed at various times
by different individuals with unique requirements in terms of network
resources and security levels.
Providing network users with access to their network resources while also
maintaining network security is often achieved through the use of VLANs.
As explained in Chapter 49, “Port-based and Tagged VLANs” on page
761, a VLAN is an independent traffic domain where the traffic generated
by the nodes within the VLAN is restricted to nodes of the same VLAN,
unless there is a router or Layer 3 device. Different users are assigned to
different VLANs depending on their resource requirements and security
levels.
The problem with a port-based VLAN is that VLAN membership is
determined by the port on the switch to which the device is connected. If a
different device that needs to belong to a different VLAN is connected to
the port, the port must be moved manually to the new VLAN using the
management software.
With 802.1x port-based network access control, you can link a username
and password combination or MAC address to a specific VLAN so that the
switch automatically moves the port to the appropriate VLAN when a
supplicant logs on. This frees the network manager from having to
reconfigure VLANs as end users access the network from different points
or where the same workstation is used by different individuals at different
times.
To use this feature, you have to enter a VLAN identifier, along with other
information, when you create a supplicant account on the RADIUS server.
The server passes the identifier to the switch when a user logs on with a
valid username and password combination or MAC address, depending
on the authentication method. The information to provide on the RADIUS
server is outlined in “Supplicant VLAN Attributes on the RADIUS Server”
on page 949.
How the switch responds when it receives VLAN information during the
authentication process can differ depending on the operating mode of the
authenticator port.
To Next Page
Loading...
Need help?
General
