Cisco 350 Series Administration Manual page 528

Security: 802.1X Authentication
Overview
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
• A RADIUS server must support DVA with RADIUS attributes tunnel-type (64) =
VLAN (13), tunnel-media-type (65) = 802 (6), and tunnel-private-group-id = a VLAN
ID.
If the tunnel-private-group ID attribute is provided as a VLAN name, the VLAN with this
name most be statically configured on the device. If a VLAN ID (2-4094) is used in this
attribute, after a supplicant is authenticated, the VLAN will be created dynamically.
When the RADIUS-Assigned VLAN feature is enabled, the host modes behave as follows:
• Single-Host and Multi-Host Mode
Untagged traffic and tagged traffic belonging to the RADIUS-assigned VLAN are
bridged via this VLAN. All other traffic not belonging to unauthenticated VLANs is
discarded.
• Multi-Sessions Mode
Untagged traffic and tagged traffic not belonging to the unauthenticated VLANs
arriving from the client are assigned to the RADIUS-assigned VLAN using TCAM
rules and are bridged via the VLAN.
The following table describes guest VLAN and RADIUS VLAN Assignment support
depending on authentication method and port mode.
RADIUS VLAN Assignment Support
Authentication Single-host
Method
802.1x
MAC
WEB
Legend:
†—The port mode supports the guest VLAN and RADIUS-VLAN assignment
N/S—The port mode does not support the authentication method.
Violation Mode
In single-host mode you can configure the action to be taken when an unauthorized host on
authorized port attempts to access the interface. This is done in the
Authentication page.
Multi-host
† †
† †
N/S N/S
Multi-sessions
†
†
N/S
Host and Session
18
357