EasyManua.ls Logo

HP E3800-24G-PoE+-2SFP+

HP E3800-24G-PoE+-2SFP+
732 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
6-44
RADIUS Authentication, Authorization, and Accounting
VLAN Assignment in an Authentication Session
VLAN Assignment in an Authentication
Session
A switch supports concurrent 802.1X and either Web- or MAC-authentication
sessions on a port (with up to 32 clients allowed). If you have configured
RADIUS as the primary authentication method for a type of access, when a
client authenticates on a port, the RADIUS server assigns an untagged VLAN
that is statically configured on the switch for use in the authentication session.
(For information on how to configure a user profile on a RADIUS server with
the VLAN to be assigned for 802.1X, Web, or MAC authentication, refer to the
documentation provided with the RADIUS server application.)
If a switch port is configured to accept multiple 802.1X and/or Web- or MAC-
Authentication client sessions, all authenticated clients must use the same
port-based, untagged VLAN membership assigned for the earliest, currently
active client session. On a port where one or more authenticated client
sessions are already running, all clients are on the same untagged VLAN. If the
RADIUS server subsequently authenticates a new client, but attempts to re-
assign the port to a different, untagged VLAN than the one already in use for
the previously existing, authenticated client sessions, the connection for the
new client will fail.
Tagged and Untagged VLAN Attributes
When you configure a user profile on a RADIUS server to assign a VLAN to an
authenticated client, you can use either the VLAN’s name or VLAN ID (VID)
number. For example, if a VLAN configured in the switch has a VID of 100 and
is named vlan100, you could configure the RADIUS server to use either “100”
or “vlan100” to specify the VLAN.
After the RADIUS server validates a client’s username and password, the
RADIUS server returns an Access-Accept packet that contains the VLAN
assignment and the following attributes for use in the authentication session:
Egress-VLANID: Configures an optional, egress VLAN ID for either
tagged or untagged packets (RFC 4675).
Egress-VLAN-Name: Configures an optional, egress VLAN for either
tagged or untagged packets when the VLAN ID is not known (RFC
4675).
Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID:
Tunnel attributes that specify an untagged VLAN assignment (RFC
3580).

Table of Contents

Related product manuals