Configuring Dynamic Vlan Assignment - H3C S3100-52P Operation Manual
Hide thumbs
Also See for S3100-52P:
- Operation manual (62 pages) ,
- Command manual (55 pages) ,
- Installation manual (54 pages)
Table of Contents
Advertisement
Operation Manual – AAA
H3C S3100-52P Ethernet switch
III. Configuration guidelines
Suppose a combined AAA scheme is available. The system selects AAA schemes
according to the following principles:
If authentication, authorization, accounting each have a separate scheme, the
separate schemes are used.
If you configure only a separate authentication scheme (that is, there are no
separate authorization and accounting schemes configured), the combined
scheme is used for authorization and accounting. In this case, if the combined
scheme uses RADIUS or HWTACACS, the system never uses the secondary
scheme for authorization and accounting.
If you configure no separate scheme, the combined scheme is used for
authentication, authorization, and accounting. In this case, if the system uses the
secondary local scheme for authentication, it also does so for authorization and
accounting; if the system uses the first scheme for authentication, it also does so
for authorization and accounting, even if authorization and accounting fail.
2.1.3 Configuring Dynamic VLAN Assignment
The dynamic VLAN assignment feature enables a switch to dynamically add the switch
ports of successfully authenticated users to different VLANs according to the attributes
assigned by the RADIUS server, so as to control the network resources that different
users can access.
Currently, the switch supports the following two types of assigned VLAN IDs: integer
and string.
Integer: If the RADIUS authentication server assigns integer type of VLAN IDs,
you can set the VLAN assignment mode to integer on the switch (this is also the
default mode on the switch). Then, upon receiving an integer ID assigned by the
RADIUS authentication server, the switch adds the port to the VLAN whose VLAN
ID is equal to the assigned integer ID. If no such a VLAN exists, the switch first
creates a VLAN with the assigned ID, and then adds the port to the newly created
VLAN.
String: If the RADIUS authentication server assigns string type of VLAN IDs, you
can set the VLAN assignment mode to string on the switch. Then, upon receiving a
string ID assigned by the RADIUS authentication server, the switch compares the
ID with existing VLAN names on the switch. If it finds a match, it adds the port to
the corresponding VLAN. Otherwise, the VLAN assignment fails and the user fails
the authentication.
In actual applications, to use this feature together with Guest VLAN, you should better
set port control to port-based mode. For more information, refer to Basic 802.1x
Configuration of 802.1x and System Guard Operation.
Follow these steps to configure dynamic VLAN assignment:
2-7
Chapter 2 AAA Configuration
Advertisement
Chapters
Table of Contents
Troubleshooting
