Operation Manual – AAA & RADIUS & HWTACACS & EAD
Quidway S3900 Series Ethernet Switches-Release 1510
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
Huawei Technologies Proprietary
1-19
Note:
z If a bound AAA scheme is configured as well as the separate authentication,
authorization and accounting schemes, the separate ones will be adopted in
precedence.
z RADIUS scheme and local scheme do not support the separation of authentication
and authorization. Therefore, pay attention when you make authentication and
authorization configuration for a domain: if the scheme radius-scheme or scheme
local command is executed, the authorization none command is executed, while
the authentication command is not executed, the authorization information
returned from the RADIUS or local scheme still takes effect.
1.3.5 Configuring Dynamic VLAN Assignment
The dynamic VLAN assignment feature enables a switch to dynamically add the switch
ports of successfully authenticated users to different VLANs according to the attributes
assigned by the RADIUS server, so as to control the network resources that different
users can access.
Currently, the switch supports the RADIUS authentication server to assign the following
two types of VLAN IDs: integer and string.
z Integer: If the RADIUS server assigns integer type of VLAN IDs, you can set the
VLAN assignment mode to integer on the switch (this is also the default mode on
the switch). Then, upon receiving an integer ID assigned by the RADIUS
authentication server, the switch adds the port to the VLAN whose VLAN ID is
equal to the assigned integer ID. If no such a VLAN exists, the switch first creates
a VLAN with the assigned ID, and then adds the port to the newly created VLAN.
z String: If the RADIUS server assigns string type of VLAN IDs, you can set the
VLAN assignment mode to string on the switch. Then, upon receiving a string ID
assigned by the RADIUS authentication server, the switch compares the ID with
existing VLAN names on the switch. If it finds a match, it adds the port to the
corresponding VLAN. Otherwise, the VLAN assignment fails and the user cannot
pass the authentication.
In actual applications, to use this feature together with Guest VLAN, you should better
set port control to port-based mode.
To Next Page
Loading...
Need help?
General