96
802.1X guest VLAN and authorization VLAN configuration
example
Network requirements
As shown in Figure 32, use RADIUS servers to perform authentication, authorization, and
accounting for 802.1X users who connect to GigabitEthernet 1/0/2. Implement port-based access
control on the port.
If no user performs 802.1X authentication on GigabitEthernet 1/0/2 within a period of time, the device
adds GigabitEthernet 1/0/2 to the guest VLAN, VLAN 10. The host and the update server are both in
VLAN 10, and the host can access the update server and download the 802.1X client software.
After the host passes 802.1X authentication, the access device assigns the host to VLAN 5 where
GigabitEthernet 1/0/3 is. The host can access the Internet.
Figure 32 Network diagram
Configuration procedure
1. Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the
access port is assigned to the guest VLAN or an authorization VLAN. (Details not shown.)
2. Configure the RADIUS server to provide authentication, authorization, and accounting services.
Configure user accounts and authorization VLAN (VLAN 5 in this example) for the users.
(Details not shown.)
3. Create VLANs, and assign ports to the VLANs on the access device.
<Device> system-view
[Device] vlan 1
[Device-vlan1] port gigabitethernet 1/0/2
[Device-vlan1] quit
[Device] vlan 10
Internet
Update server Authentication server
Host
Device
Internet
Update server
Authentication server
Host
VLAN 10
GE
1/0/
1
VLAN 1
GE1/
0/2
VLAN
5
GE1
/0/
3
VLAN 2
GE1
/0
/4
Device
Internet
Update server Authentication server
Host
Device
Port assigned to
guest VLAN
User comes
online
VLAN 10
GE
1/0
/1
VLAN 2
GE1/
0/4
VLAN 10
GE1/
0/2
VLAN 5
GE1/0/3
VLAN 5
GE1
/0/
3
VLAN 5
GE1/0/2
VLAN 10
GE1/0
/1
VLAN 2
GE1/0/4