104
VLAN assignment
Authorization VLAN
The device uses the authorization VLAN to control the access of a MAC authentication user to
authorized network resources.
The device supports the following VLAN authorization methods:
• Remote VLAN authorization—The authorization VLAN information of a MAC authentication
user is assigned by a remote server. The device can resolve server-assigned VLANs in the form
of VLAN ID or VLAN name.
The port through which the user accesses the device is assigned to the authorization VLAN as
a tagged or untagged member.
• Local VLAN authorization—The authorization VLAN of a MAC authentication user is
specified in user view or user group view in the form of VLAN ID on the device.
The port through which the user accesses the device is assigned to the VLAN as an untagged
member. Tagged VLAN assignment is not supported.
For more information about local authorization VLAN configuration, see "Configuring AAA."
Table 9 describes the way the network access device handles authorization VLANs for MAC
authenticated users.
Table 9 VLAN manipulation
• Access port
• Trunk port
•
MAC-based-VLAN disabled
• If the port is assigned to the authorization VLAN as an untagged
member, the device assigns the port to the first authenticated
user's authorization VLAN. The authorization VLAN becomes
the PVID. All MAC authentication users on the port must be
assigned
the same authorization VLAN. If a different
authorization VLAN is assigned to a subsequent user, the user
cannot pass MAC authentication.
• If the port is assigned to the authorization VLAN as a tagged
member, the PVID of the port does not change. The device
maps the MAC address of each user to its own authorization
VLAN.
NOTE:
An access port can be assigned to an authorization VLAN only as an
untagged VLAN member.
Hybrid port with MAC-based VLAN
enabled
The device maps the MAC address of each user to its own
authorization VLAN
regardless of whether the port is a tagged
member. The PVID of the port does not change.
MAC authentication support for tagged VLAN assignment is available in Release 1121 and later.
•
As a best practice, always assign a hybrid port to a VLAN as an untagged member. After the
assignment, do not reconfigure the port as a tagged member in the VLAN.
Guest VLAN
You can configure a MAC authentication guest VLAN on a port to accommodate users that have
failed MAC authentication on the port. Users in the MAC authentication guest VLAN can access a
limited set of network resources, such as a software server, to download software and system
patches. If no MAC authentication guest VLAN is configured, the users that have failed MAC
authentication cannot access any network resources.
To Next Page
Loading...
