Using 802.1X With Vlan Assignment - Cisco Catalyst 4500 Series Configuration Manual

About 802.1X Port-Based Authentication

Using 802.1X with VLAN Assignment

You can use the VLAN assignment to limit network access for certain users. With the VLAN assignment,
802.1X-authenticated ports are assigned to a VLAN based on the username of the client connected to
that port. The RADIUS server database maintains the username-to-VLAN mappings. After successful
802.1X authentication of the port, the RADIUS server sends the VLAN assignment to the switch. The
VLAN can be a standard VLAN or a PVLAN.
On platforms that support PVLANs, you can isolate hosts by assigning ports into PVLANs.
When configured on the switch and the RADIUS server, 802.1X with VLAN assignment has these
characteristics:
•
•
•
•
•
•
•
•
•
If you change the access VLAN or PVLAN host VLAN mapping on a port that is already authorized in
Note
a RADIUS assigned VLAN, the port remains in the RADIUS assigned VLAN.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
44-10
If no VLAN is supplied by the RADIUS server, the port is configured in its access VLAN or isolated
PVLAN when authentication succeeds.
If the authentication server provides invalid VLAN information, the port remains unauthorized. This
situation prevents ports from appearing unexpectedly in an inappropriate VLAN due to a
configuration error.
Starting with Cisco IOS Release 15.0(2)SG, if multi-authentication mode is enabled on an 802.1X
port, VLAN Assignment occurs successfully for the first authenticated host. Subsequent authorized
(based on user credentials) data hosts, are considered successfully authenticated, provided either
they have no VLAN assignment or have a VLAN assignment matching the first successfully
authenticated host on the port. This ensures that all successfully authenticated hosts on a port are
members of the same VLAN. Flexibility of VLAN assignment is only provided to the first
authenticated host.
If the authentication server provides valid VLAN information, the port is authorized and placed in
the specified VLAN when authentication succeeds.
If the multiple-hosts mode is enabled, all hosts are in the same VLAN as the first authenticated user.
If 802.1X is disabled on the port, the port is returned to the configured access VLAN.
A port must be configured as an access port (which can be assigned only into "regular" VLANs), or
as a PVLAN host port (which can be assigned only into PVLANs). Configuring a port as a PVLAN
host port implies that all hosts on the port are assigned into PVLANs, whether their posture is
compliant or non-compliant. If the type of the VLAN named in the Access-Accept does not match
the type of VLAN expected to be assigned to the port (regular VLAN to access port, secondary
PVLAN to PVLAN host port), the VLAN assignment fails.
If a guest VLAN is configured to handle non-responsive hosts, the type of VLAN configured as the
guest VLAN must match the port type (that is, guest VLANs configured on access ports must be
standard VLANs, and guest VLANs configured on PVLAN host ports must be PVLANs). If the
guest VLAN's type does not match the port type, non-responsive hosts are treated as if no guest
VLAN is configured (that is, they are denied network access).
To assign a port into a PVLAN, the named VLAN must be a secondary PVLAN. The switch
determines the implied primary VLAN from the locally configured secondary-primary association.
Chapter 44 Configuring 802.1X Port-Based Authentication
OL-25340-01