Authorization VLAN
The device uses the authorization VLAN to control the access of an 802.1X user to authorized network resource. The port through which the user accesses the device is assigned to the VLAN as a tagged or untagged member.
Supported VLAN types and forms
Which VLAN types and forms are supported depends on the authorization type.
Local VLAN authorization.
The authorization VLAN of an 802.1X user is specified in user view or user group view in the form of VLAN ID on the device.
For more information about local user configuration, see "Configuring AAA."
Remote VLAN authorization.
The authorization VLAN information of an 802.1X user is assigned by a remote server. The device resolves the VLAN information and selects a VLAN as the authorization VLAN for the user.
The access device can resolve server-assigned VLANs in the following forms:
VLAN ID.
VLAN name.
The VLAN name represents the VLAN description on the access device.
Combination of VLAN IDs and VLAN names.
In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names.
VLAN group name.
For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.
VLAN ID with suffix.
The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members or not. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members.
NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment. | ||
Unsupported VLAN types
Do not specify the following types of VLANs for VLAN authorization. The access device does not assign these VLANs to 802.1X users.
VLANs that have not been created.
Dynamically-learnt VLANs.
Reserved VLANs.
Super VLANs.
Private VLANs.
VLAN selection and assignment
If the server assigns a group of VLANs, the access device selects and assigns a VLAN according to the VLAN ID format. Table 5 describes the VLAN selection and assignment rules for a group of authorization VLANs.
Table 5: VLAN selection and assignment for a group of authorization VLANs
Types of authorized VLANs | VLAN selection and assignment rules |
---|---|
| The device selects a VLAN to be the authorization VLAN of a user, depending on whether the port has other online users:
The device follows the rules in Table 6 to handle VLAN assignment. |
VLAN IDs with suffixes |
For example, the authentication server sends the string 1u 2t 3 to the access device for a user. The device assigns VLAN 1 as an untagged VLAN and other VLANs as tagged VLANs. VLAN 1 becomes the PVID. |
NOTE: Assign VLAN IDs with suffixes only to hybrid or trunk ports that perform port-based access control. | ||
Table 6 describes how the access device handles VLANs (except for the VLANs specified with suffixes) on an 802.1X-enabled port.
Table 6: VLAN manipulation
Port access control method | VLAN manipulation |
---|---|
Port-based | The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication. If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID. If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change. |
MAC-based |
|
IMPORTANT: An 802.1X-enabled access port can be assigned to an authorization VLAN only as an untagged member. As a best practice, always assign a hybrid port to a VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN. | ||
For more information about VLANs, see Layer 2—LAN Switching Configuration Guide.