Using 802.1X For Guest Vlans - Cisco Catalyst 4500 Series Software Configuration Manual

About 802.1X Port-Based Authentication
When configured on the switch and the RADIUS server, 802.1X with VLAN assignment has these characteristics:
If no VLAN is supplied by the RADIUS server, the port is configured in its access VLAN or isolated PVLAN when
•
authentication succeeds.
If the authentication server provides invalid VLAN information, the port remains unauthorized. This situation prevents
•
ports from appearing unexpectedly in an inappropriate VLAN due to a configuration error.
• Starting with Cisco IOS Release 15.0(2)SG, if multi-authentication mode is enabled on an 802.1X port, VLAN Assignment
occurs successfully for the first authenticated host. Subsequent authorized (based on user credentials) data hosts, are
considered successfully authenticated, provided either they have no VLAN assignment or have a VLAN assignment
matching the first successfully authenticated host on the port. This ensures that all successfully authenticated hosts on a
port are members of the same VLAN. Flexibility of VLAN assignment is only provided to the first authenticated host.
If the authentication server provides valid VLAN information, the port is authorized and placed in the specified VLAN
•
when authentication succeeds.
If the multiple-hosts mode is enabled, all hosts are in the same VLAN as the first authenticated user.
•
If 802.1X is disabled on the port, the port is returned to the configured access VLAN.
•
A port must be configured as an access port (which can be assigned only into "regular" VLANs), or as a PVLAN host port
•
(which can be assigned only into PVLANs). Configuring a port as a PVLAN host port implies that all hosts on the port are
assigned into PVLANs, whether their posture is compliant or non-compliant. If the type of the VLAN named in the
Access-Accept does not match the type of VLAN expected to be assigned to the port (regular VLAN to access port,
secondary PVLAN to PVLAN host port), the VLAN assignment fails.
If a guest VLAN is configured to handle non-responsive hosts, the type of VLAN configured as the guest VLAN must
•
match the port type (that is, guest VLANs configured on access ports must be standard VLANs, and guest VLANs
configured on PVLAN host ports must be PVLANs). If the guest VLAN's type does not match the port type,
non-responsive hosts are treated as if no guest VLAN is configured (that is, they are denied network access).
To assign a port into a PVLAN, the named VLAN must be a secondary PVLAN. The switch determines the implied primary
•
VLAN from the locally configured secondary-primary association.
If you change the access VLAN or PVLAN host VLAN mapping on a port that is already authorized in
Note
a RADIUS assigned VLAN, the port remains in the RADIUS assigned VLAN.
To configure VLAN assignment you need to perform these tasks:
• Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server. For
an illustration of how to apply the aaa authorization network group radius command, refer to the section "Enabling
802.1X Authentication" on page 29.
Enable 802.1X. (The VLAN assignment feature is automatically enabled when you configure 802.1X on an access port.)
•
• Assign vendor-specific tunnel attributes in the RADIUS server. To ensure proper VLAN assignment, the RADIUS server
must return these attributes to the switch:
Tunnel-Type = VLAN
–
– Tunnel-Medium-Type = 802
– Tunnel-Private-Group-ID = VLAN NAME

Using 802.1X for Guest VLANs

You can use guest VLANs to enable non-802.1X-capable hosts to access networks that use 802.1X authentication. For example,
you can use guest VLANs while you are upgrading your system to support 802.1X authentication.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
49-10
Chapter 49 Configuring 802.1X Port-Based Authentication