Security: 802.1X Authentication
Overview
356 Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
18
The guest VLAN, if configured, is a static VLAN with the following characteristics:
• It must be manually defined from an existing static VLAN.
• The guest VLAN cannot be used as the Voice VLAN or an unauthenticated VLAN.
See RADIUS VLAN Assignment Support to see a summary of the modes in which guest
VLAN is supported.
Host Modes with Guest VLAN
The host modes work with guest VLAN in the following way:
• Single-Host and Multi-Host Mode
Untagged traffic and tagged traffic belonging to the guest VLAN arriving on an
unauthorized port are bridged via the guest VLAN. All other traffic is discarded. The
traffic belonging to an unauthenticated VLAN is bridged via the VLAN.
• Multi-Sessions Mode
Untagged traffic and tagged traffic, which does not belong to the unauthenticated
VLANs and that arrives from unauthorized clients, are assigned to the guest VLAN
using the TCAM rule and are bridged via the guest VLAN. The tagged traffic
belonging to an unauthenticated VLAN is bridged via the VLAN.
This mode cannot be configured on the same interface with policy-based VLANs.
RADIUS VLAN Assignment or Dynamic VLAN Assignment
An authorized client can be assigned a VLAN by the RADIUS server, if this option is enabled
in the Port Authentication page. This is called either Dynamic VLAN Assignment (DVA) or
RADIUS VLAN Assignment. In this guide, the term RADIUS-Assigned VLAN is used.
Untagged traffic and tagged traffic not belonging to the unauthenticated VLANs arriving from
the client are assigned to the RADIUS assigned VLAN using the TCAM rule and are bridged
via the VLAN.
See RADIUS VLAN Assignment Support for further information about how the different
modes behave when RADIUS-Assigned VLAN is enabled on the device.
For a device to be authenticated and authorized at a port which is DVA-enabled:
• The RADIUS server must authenticate the device and dynamically assign a VLAN to
the device. You can set the RADIUS VLAN Assignment field to static in the Port
Authentication page. This enables the host to be bridged according to static
configuration.
To Next Page
Loading...
Need help?
General
