86
changes only take effect after all users have logged off the port.
◆ RADIUS-Assigned VLAN Enabled - RADIUS-assigned VLAN provides a means to
centrally control the VLAN on which a successfully authenticated supplicant is placed on
the switch. Incoming traffic will be classified to and switched on the RADIUS-assigned
VLAN. The RADIUS server must be configured to transmit special RADIUS attributes to
take advantage of this feature.
The “RADIUS-Assigned VLAN Enabled” checkbox provides a quick way to globally
enable/disable RADIUS-server assigned VLAN functionality. When checked, the
individual port settings determine whether RADIUS- assigned VLAN is enabled for that
port. When unchecked, RADIUS-server assigned VLAN is disabled for all ports.
When RADIUS-Assigned VLAN is both globally enabled and enabled for a given port, the
switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet
transmitted by the RADIUS server when a supplicant is successfully authenticated. If
present and valid, the port's Port VLAN ID will be changed to this VLAN ID, the port will
be set to be a member of that VLAN ID, and the port will be forced into VLAN- unaware
mode. Once assigned, all traffic arriving on the port will be classified and switched on the
RADIUS-assigned VLAN ID.
If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN
ID or it's invalid, or the supplicant is otherwise no longer present on the port, the port's
VLAN ID is immediately reverted to the original VLAN ID (which may be changed by the
administrator in the meanwhile without affecting the RADIUS-assigned setting).
This option is only available for single-client modes, i.e. port-based 802.1X and Single
802.1X.
Note: For trouble-shooting VLAN assignments, use the Monitor > VLANs > VLAN
Membership and VLAN Port pages. These pages show which modules have (temporarily)
overridden the current Port VLAN configuration.
RADIUS Attributes Used in Identifying a VLAN ID
RFC 2868 and RFC 3580 form the basis for the attributes used in identifying a VLAN ID in an
Access-Accept packet. The following criteria are used:
■ The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group- ID attributes must all
be present at least once in the Access-Accept packet.
■ The switch looks for the first set of these attributes that have the same Tag value and fulfil
the following requirements (if Tag == 0 is used, the Tunnel-Private-Group-ID does not need
to include a Tag):
■ Value of Tunnel-Medium-Type must be set to “IEEE-802” (ordinal 6).
■ Value of Tunnel-Type must be set to “VLAN” (ordinal 13).
■ Value of Tunnel-Private-Group-ID must be a string of ASCII characters in the range 0-9,
To Next Page
Loading...
