102
For more information about configuring local authentication and RADIUS authentication, see
"Configuring AAA."
VLAN assignment
MAC authentication supports the authorization VLAN, guest VLAN, and critical VLAN.
Authorization VLAN
You can specify the authorization VLAN for a MAC authentication user to control access to authorized
network resources.
• On a RADIUS server, the authorization VLAN can be specified in the form of VLAN ID or VL
AN
name.
• On the loc
al access device, the authorization VLAN must be specified in the form of VLAN ID. Yo
u
can spec
ify the authorization VLAN in the following view
s:
{ Local user view.
{ User group view.
For more information about local authorization VLAN configuration, see "Configuring AAA
."
When the
MAC authentication user passes authentication, the authentication server (either the local
access device or a RADIUS server) assigns the authorization VLAN to the user.
The port through which the user accesses the device is assigned to the authorization VLAN. A hybrid port
is always assigned to a server-assigned authorization VLAN as an untagged member. After the
assignment, do not reconfigure the port as a tagged member in the VLAN.
Table 9 d
escribes the way the network access device handles authorization VLANs for MAC
a
uthenticated users.
Table 9 VLAN manipulation
Port t
e VLAN mani
ulation
• Access port
• Trunk port
• Hybrid port with
MAC-based-VLAN disabled
The device assigns the first authenticated user's authorization VLAN to
the port as the PVID.
NOTE:
For these port types, you must assign the same authorization VLAN to
all MAC authentication users on a port. If a different authorization
VLAN is assigned to a subsequent user, the user cannot pass MAC
authentication.
Hybrid port with MAC-based VLAN
enabled
The device maps the MAC address of each user to the authorization
VLAN. The PVID of the port does not change. When a user logs off, the
MAC-to-VLAN mapping for the user is removed.
Guest VLAN
You can configure a MAC authentication guest VLAN on a port to accommodate users that have failed
MAC authentication on the port. Users in the MAC authentication guest VLAN can access a limited set
of network resources, such as a software server, to download software and system patches. If no MAC
authentication guest VLAN is configured, the users that have failed MAC authentication cannot access
any network resources.
A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After
the assignment, do not reconfigure the port as a tagged member in the VLAN.
To Next Page
Loading...
Need help?
General