EasyManua.ls Logo

Cisco SG500X-24P - Page 413

Cisco SG500X-24P
548 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Security
Configuring 802.1X
395 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1.3
20
- Single session/multiple hostsThis follows the 802.1x standard. In this
mode, the device as an authenticator allows any device to use a port as
long as it has been granted permission.
Multi-Session 802.1X—Every device (supplicant) connecting to a port
must be authenticated and authorized by the device (authenticator)
separately in a different 802.1x session.
NOTE This is the only mode that supports Dynamic VLAN Assignment (DVA).
Dynamic VLAN Assignment (DVA)
Dynamic VLAN Assignment (DVA) is also referred to as RADIUS VLAN Assignment
in this guide. When a port is in Multiple Session mode and is DVA-enabled, the
device automatically adds the port as an untagged member of the VLAN that is
assigned by the RADIUS server during the authentication process. The device
classifies untagged packets to the assigned VLAN if the packets originated from
the devices or ports that are authenticated and authorized.
NOTE DVA is only supported on the Sx500 model switches when the device is in Layer 2
system mode.
For a device to be authenticated and authorized at a port which is DVA-enabled:
The RADIUS server must authenticate the device and dynamically assign a
VLAN to the device. The user can configure an alternative VLAN ahead of
time to be used if the RADIUS server does not assign a VLAN.
The assigned VLAN must not be the default VLAN and must have been
created on the device.
The device must not be configured to use both a DVA and a MAC-based
VLAN group together.
A RADIUS server must support DVA with RADIUS attributes tunnel-type
(64) = VLAN (13), tunnel-media-type (65) = 802 (6), and tunnel-private-
group-id = a VLAN ID.
The authentication methods can be:
802.1xThe device supports the authentication mechanism, as described
in the standard, to authenticate and authorize 802.1x supplicants.
MAC-based—The device can be configured to use this mode to
authenticate and authorized devices that do not support 802.1x. The device
emulates the supplicant role on behalf of the non 802.1x capable devices,
and uses the MAC address of the devices as the username and password
when communicating with the RADIUS servers. MAC addresses for

Table of Contents

Other manuals for Cisco SG500X-24P

Preview: Quick Start Guide
Quick Start Guide24 pages

Related product manuals