Table of Contents
Advertisement
F
M
RONT
ATTER
When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a given port, the switch reacts to VLAN ID information
carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present
and valid, the port's Port VLAN ID will be changed to this VLAN ID, the port will be set to be a member of that VLAN ID, and the port will be
forced into VLAN unaware mode. Once assigned, all traffic arriving on the port will be classified and switched on the RADIUS-assigned
VLAN ID. If (re-)authentication fails, the RADIUS Access-Accept packet no longer carries a valid VLAN ID or the supplicant is otherwise no
longer present on the port, the port's VLAN ID is immediately reverted to the original VLAN ID (which may be changed by the administrator
in the meanwhile without affecting the RADIUS-assigned VLAN ID). This option is only available for Port-based 802.1X and Single 802.1X
modes. To troubleshoot VLAN assignments, use the
which modules have (temporarily) overridden the current port VLAN configuration.
RADIUS attributes used in identifying a VLAN ID
RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN ID in an Access-Accept packet. The following criteria
are used:
The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group-ID attributes must all be present at least once in the Access-Accept
packet.
The switch looks for the first set of these attributes that have the same Tag value and fulfil the following requirements (if Tag == 0 is
used, the Tunnel-Private-Group-ID does not need to include a Tag):
Value of Tunnel-Medium-Type must be set to IEEE-802 (ordinal 6).
Value of Tunnel-Type must be set to VLAN (ordinal 13).
Value of Tunnel-Private-Group-ID must be a string of ASCII chars in the range '0' - '9', which is interpreted as a decimal string repre-
senting the VLAN ID. Leading '0's are discarded. The final value must be in the range [1; 4095].
Guest VLAN Enabled:
When Guest VLAN is both globally enabled and enabled (checked) for a given port, the switch considers moving the port into the Guest
VLAN according to the rules outlined below.
This option is only available for EAPOL-based modes, i.e.:
Port-based 802.1X
Single 802.1X
Multi 802.1X
To troubleshoot VLAN assignments, use the
ules have (temporarily) overridden the current port VLAN configuration.
MGS3600-24F/XGS3600-26F/XGS3600-28F
Configuration
>
VLAN
Configuration
>
VLAN
>
VLAN Membership
8-20
>
VLAN Membership
and
Port Status
and
Port Status
sub-menus to see
sub-menus to see which mod-
U
'
G
SER
S
UIDE
- Quick Links:
- Switch Access and Login
Hide quick links:
Advertisement
Chapters
Table of Contents
