VLAN assignment

The device uses the authorization VLAN to control the access of a MAC authentication user to authorized network resources.

The device supports the following VLAN authorization methods:

• Remote VLAN authorization—The authorization VLAN information of a MAC authentication user is assigned by a remote server. The device can resolve server-assigned VLANs in the form of VLAN ID or VLAN name.

  The port through which the user accesses the device is assigned to the authorization VLAN as a tagged or untagged member.

• Local VLAN authorization—The authorization VLAN of a MAC authentication user is specified in user view or user group view in the form of VLAN ID on the device.

  The port through which the user accesses the device is assigned to the VLAN as an untagged member. Tagged VLAN assignment is not supported.

For more information about local authorization VLAN configuration, see "Configuring AAA."

The network access device handles authorization VLANs for MAC authenticated users as follows:

• If the port is assigned to the authorization VLAN as an untagged member, the device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. All MAC authentication users on the port must be assigned the same authorization VLAN. If a different authorization VLAN is assigned to a subsequent user, the user cannot pass MAC authentication.

• If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change. The device maps the MAC address of each user to its own authorization VLAN.

	IMPORTANT: An access port can be assigned to an authorization VLAN only as an untagged VLAN member. As a best practice, always assign a hybrid port to a VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.