Understanding How 802.1X Vlan Assignments Using A Radius Server Work - Cisco WS-C6506 Software Manual

Chapter 40 Configuring 802.1X Authentication

Understanding How 802.1X VLAN Assignments Using a RADIUS Server Work

In the supervisor engine software releases prior to software release 7.2(2), once the 802.1X host is
authenticated, it joins an NVRAM-configured VLAN. With software release 7.2(2) and later releases,
after authentication, an 802.1X host can receive its VLAN assignment from the RADIUS server.
The VLAN assignment feature allows you to restrict users to a specific VLAN. For example, you could
put the guest users in a VLAN with limited access to the network.
The 802.1X authenticated ports are assigned to a VLAN based on the username of the host that is
connected to the port. This feature works with the RADIUS server that has a database of
username-to-VLAN mappings.
After a successful 802.1X authentication of the port, the RADIUS server sends the VLAN in which the
user needs to be given access. The 802.1X port behavior with the VLAN assignment feature is as
follows:
•
•
•
•
•
•
•
•
•
•
In order for the "802.1X VLAN assignment using a RADIUS server" feature to successfully complete,
the RADIUS server must return these three RFC 2868 attributes to the authenticator (the Cisco switch
to which the host attaches):
•
•
•
Attribute [64] must contain the value "VLAN" (type 13). Attribute [65] must contain the value "802"
(type 6). Attribute [81] specifies the VLAN name or VLAN ID in which the successfully authenticated
802.1X host is placed.
OL-8978-04
At linkup, an 802.1X port is placed in its original NVRAM-configured VLAN.
After linkup, the port can be put in the RADIUS-supplied VLAN if the RADIUS-supplied VLAN is
valid and active in the management domain.
If the port is currently in a different VLAN, it is moved to the RADIUS-supplied VLAN.
If the RADIUS-supplied VLAN is not active in the management domain, the port is put in an
inactive state.
If the RADIUS-supplied VLAN is invalid or there is a problem with the port hardware, the port is
moved to the 802.1X unauthorized state.
When you enable the multiple hosts option on an 802.1X port, all the hosts are placed in the same
RADIUS-supplied VLAN that is received by the first authenticated user.
When an 802.1X-configured module goes down, all the Enhanced Address Recognition Logic
(EARL) entries are cleared for the 802.1X ports.
When an 802.1X-configured module comes up, all the 802.1X ports are configured in the
NVRAM-configured VLANs.
When an 802.1X-configured module's configuration is cleared, all the 802.1X ports are moved to
the NVRAM-configured VLAN and all the EARL entries for the 802.1X ports are cleared.
When an 802.1X port moves from an authorized to an unauthorized state, the port is moved to the
NVRAM-configured VLAN.
[64] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-Id = VLAN NAME or VLAN ID (VLAN number)
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Understanding How 802.1X Authentication Works
40-7