Security: 802.1X Authentication
Authenticator Overview
392 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
19
For a device to be authenticated and authorized at a port which is DVA-enabled:
• The RADIUS server must authenticate the device and dynamically assign a
VLAN to the device. You can set the RADIUS VLAN Assignment field to
static in the Port Authentication page. This enables the host to be bridged
according to static configuration.
• A RADIUS server must support DVA with RADIUS attributes tunnel-type
(64) = VLAN (13), tunnel-media-type (65) = 802 (6), and tunnel-private-
group-id = a VLAN ID.
When the RADIUS-Assigned VLAN feature is enabled, the host modes behave as
follows:
• Single-Host and Multi-Host Mode
Untagged traffic and tagged traffic belonging to the RADIUS-assigned
VLAN are bridged via this VLAN. All other traffic not belonging to
unauthenticated VLANs is discarded.
• Full Multi-Sessions Mode
Untagged traffic and tagged traffic not belonging to the unauthenticated
VLANs arriving from the client are assigned to the RADIUS-assigned VLAN
using TCAM rules and are bridged via the VLAN.
• Multi-Sessions Mode in Layer 3 System Mode
This mode does not support RADIUS-assigned VLAN,
The following table describes guest VLAN and RADIUS-VLAN assignment support
depending on authentication method and port mode.
Legend:
†—The port mode supports the guest VLAN and RADIUS-VLAN assignment
N/S—The port mode does not support the authentication method.
Authentication
Method
Single-host Multi-host Multi-sessions
Device in L3 Device in L2
802.1x
††N/S†
MAC
††N/S†
WEB
N/S N/S N/S N/S
To Next Page
Loading...
