X User Distribution; X User Distribution Configuration Guidelines - Cisco IE-4000 Software Configuration Manual

Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
For more configuration information, see
Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages. See
Manager CLI Commands, page

802.1x User Distribution

You can configure 802.1x user distribution to load-balance users with the same group name across multiple different
VLANs.
The VLANs are either supplied by the RADIUS server or configured through the switch CLI under a VLAN group name.

Configure the RADIUS server to send more than one VLAN name for a user. The multiple VLAN names can be sent
as part of the response to the user. The 802.1x user distribution tracks all the users in a particular VLAN and achieves
load balancing by moving the authorized user to the least populated VLAN.

Configure the RADIUS server to send a VLAN group name for a user. The VLAN group name can be sent as part of
the response to the user. You can search for the selected VLAN group name among the VLAN group names that you
configured by using the switch CLI. If the VLAN group name is found, the corresponding VLANs under this VLAN
group name are searched to find the least populated VLAN. Load balancing is achieved by moving the corresponding
authorized user to that VLAN.
Note: The RADIUS server can send the VLAN information in any combination of VLAN-IDs, VLAN names, or VLAN
groups.

802.1x User Distribution Configuration Guidelines


Confirm that at least one VLAN is mapped to the VLAN group.

You can map more than one VLAN to a VLAN group.

You can modify the VLAN group by adding or deleting a VLAN.

When you clear an existing VLAN from the VLAN group name, none of the authenticated ports in the VLAN are
cleared, but the mappings are removed from the existing VLAN group.

If you clear the last VLAN from the VLAN group name, the VLAN group is cleared.

You can clear a VLAN group even when the active VLANs are mapped to the group. When you clear a VLAN group,
none of the ports or users that are in the authenticated state in any VLAN within the group are cleared, but the VLAN
mappings to the VLAN group are cleared.
For more information, see
Network Admission Control Layer 2 802.1x Validation
The switch supports the Network Admission Control (NAC) Layer 2 802.1x validation, which checks the antivirus
condition or posture of endpoint systems or clients before granting the devices network access. With NAC Layer 2 802.1x
validation, you can do these tasks:

Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute
(Attribute[29]) from the authentication server.

Set the number of seconds between reauthentication attempts as the value of the Session-Timeout RADIUS attribute
(Attribute[27]) and get an access policy against the client from the RADIUS server.
Authentication Manager, page
195.
Configuring 802.1x User Distribution, page
194.
229.
211
Authentication