Authorization VLAN

The device uses the authorization VLAN to control the access of an 802.1X user to authorized network resources.

Supported VLAN types and forms

Which VLAN types and forms are supported depends on the authorization type.

Local VLAN authorization.
The authorization VLAN of an 802.1X user is specified in user view or user group view in the form of VLAN ID on the device. The port through which the user accesses the device is assigned to the VLAN as an untagged member. Tagged VLAN assignment is not supported.
For more information about local user configuration, see "Configuring AAA."
Remote VLAN authorization.
The authorization VLAN information of an 802.1X user is assigned by a remote server. The device resolves the VLAN information and selects a VLAN as the authorization VLAN for the user. The port through which the user accesses the device can be assigned to the VLAN as a tagged or untagged member.
The access device can resolve server-assigned VLANs in the following forms:
- VLAN ID.
- VLAN name.
  The VLAN name represents the VLAN description on the access device.
- Combination of VLAN IDs and VLAN names.
  In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names.
- VLAN group name.
  For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.
- VLAN ID with suffix.
  The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members or not. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members.

NOTE:

The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment.

Unsupported VLAN types

Do not specify the following types of VLANs for VLAN authorization:

Dynamically-learnt VLANs.
Reserved VLANs.
Super VLANs.
Private VLANs.

VLAN selection and assignment

If the server assigns a group of VLANs, the access device selects and assigns a VLAN according to the VLAN ID format. Table 6 describes the VLAN selection and assignment rules for a group of authorization VLANs.

Table 6: VLAN selection and assignment for a group of authorization VLANs

Types of authorized VLANs	VLAN selection and assignment rules
VLANs by IDs VLANs by names VLAN group name	The device selects a VLAN to be the authorization VLAN of a user, depending on whether the port has other online users: If the port does not have other online users, the device selects the VLAN with the lowest ID from the group of VLANs. If the port has other online users, the device selects the VLAN by using the following process: The device selects the VLAN that has the fewest number of online users. If two VLANs have the same number of online 802.1X users, the device selects the VLAN with the lower ID. The device follows the rules in Table 7 to handle VLAN assignment.
VLAN IDs with suffixes	The device selects the leftmost VLAN ID without a suffix, or the leftmost VLAN ID suffixed by u as an untagged VLAN, whichever is more leftmost. The device assigns the untagged VLAN to the port as the PVID, and it assigns the remaining as tagged VLANs. If no untagged VLAN is assigned, the PVID of the port does not change. The port permits traffic from these tagged and untagged VLANs to pass through. For example, the authentication server sends the string 1u 2t 3 to the access device for a user. The device assigns VLAN 1 as an untagged VLAN and other VLANs as tagged VLANs. VLAN 1 becomes the PVID.

Types of authorized VLANs

VLAN selection and assignment rules

VLANs by IDs
VLANs by names
VLAN group name

The device selects a VLAN to be the authorization VLAN of a user, depending on whether the port has other online users:

If the port does not have other online users, the device selects the VLAN with the lowest ID from the group of VLANs.
If the port has other online users, the device selects the VLAN by using the following process:
1. The device selects the VLAN that has the fewest number of online users.
2. If two VLANs have the same number of online 802.1X users, the device selects the VLAN with the lower ID.

The device follows the rules in Table 7 to handle VLAN assignment.

VLAN IDs with suffixes

The device selects the leftmost VLAN ID without a suffix, or the leftmost VLAN ID suffixed by u as an untagged VLAN, whichever is more leftmost.
The device assigns the untagged VLAN to the port as the PVID, and it assigns the remaining as tagged VLANs. If no untagged VLAN is assigned, the PVID of the port does not change. The port permits traffic from these tagged and untagged VLANs to pass through.

For example, the authentication server sends the string 1u 2t 3 to the access device for a user. The device assigns VLAN 1 as an untagged VLAN and other VLANs as tagged VLANs. VLAN 1 becomes the PVID.

NOTE:

Assign VLAN IDs with suffixes only to hybrid or trunk ports that perform port-based access control.

Table 7 describes how the access device handles VLANs (except for the VLANs specified with suffixes) on an 802.1X-enabled port.

Table 7: VLAN manipulation

Port access control method	VLAN manipulation
Port-based	The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication. If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID. If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change.
MAC-based	For a hybrid port with MAC-based VLAN enabled, the device maps the MAC address of each user to its own authorization VLAN. The PVID of the port does not change. For an access, trunk, or MAC-based VLAN-disabled hybrid port: If the port is assigned to the authorization VLAN as an untagged member, the device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. To ensure successful authentication of subsequent users, authorize the same VLAN to all 802.1X users on the port. If a different VLAN is authorized to a subsequent user, the user cannot pass the authentication. If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change. The device maps the MAC address of each user to its own authorization VLAN.

Port access control method

VLAN manipulation

Port-based

The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication.

If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID. If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change.

MAC-based

For a hybrid port with MAC-based VLAN enabled, the device maps the MAC address of each user to its own authorization VLAN. The PVID of the port does not change.
For an access, trunk, or MAC-based VLAN-disabled hybrid port:
- If the port is assigned to the authorization VLAN as an untagged member, the device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. To ensure successful authentication of subsequent users, authorize the same VLAN to all 802.1X users on the port. If a different VLAN is authorized to a subsequent user, the user cannot pass the authentication.
- If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change. The device maps the MAC address of each user to its own authorization VLAN.


	IMPORTANT: An 802.1X-enabled access port can be assigned to an authorization VLAN only as an untagged member. As a best practice, always assign a hybrid port to a VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.

On a port with periodic online user reauthentication enabled, the MAC-based VLAN feature does not take effect on a user who has been online since before this feature was enabled. The access device creates a MAC-to-VLAN mapping for the user when the following requirements are met:

The user passes reauthentication.
The authorization VLAN for the user is changed.

For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide.

prev	up	next
802.1X VLAN manipulation	home	Guest VLAN