Authorization VLAN

The authorization VLAN controls the access of an 802.1X user to authorized network resources. The device supports authorization VLANs assigned locally or by a remote server. Only remote servers can assign tagged authorization VLANs.

Remote VLAN authorization

In remote VLAN authorization, you must specify authorization VLAN information on the remote server. After the user passes authentication, the server assigns the information to the device. The device resolves the authorization VLAN information and assigns the user's access port to the authorization VLAN as a tagged or untagged member. If the resolution fails, the user fails authentication.

The device can resolve the following formats of VLANs assigned by the remote server:

VLAN ID.
VLAN name.
The VLAN name represents the VLAN description on the access device.
Combination of VLAN IDs and VLAN names.
In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names.
VLAN group name.
For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.
VLAN ID with suffix.
The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members or not. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members.

NOTE:

The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment.

The device cannot resolve the following types of VLANs assigned by the remote server:

Dynamically-learned VLANs.
Reserved VLANs.
Super VLANs.
Private VLANs.

If the server assigns a group of VLANs, the access device selects and assigns a VLAN according to the VLAN ID format. Table 6 describes the authorization VLAN selection and assignment rules from a group of VLANs.

Table 6: Authorization VLAN selection and assignment from a group of VLANs

Types of VLANs	Authorization VLAN selection and assignment rules
VLANs by IDs VLANs by names VLAN group name	If the 802.1X-enabled port performs MAC-based access control, the device selects a VLAN to be the authorization VLAN of a user, depending on whether the port has other online users: If the port does not have other online users, the device selects the VLAN with the lowest ID from the group of VLANs. If the port has other online users, the following rules apply: If MAC-based VLAN is enabled, the device selects the VLAN that has the fewest number of online users. If two VLANs have the same number of online 802.1X users, the device selects the VLAN with the lower ID. If MAC-based VLAN is disabled, the device examines whether the VLAN that has online users is in the group of VLANs. If the VLAN is found in the group, the VLAN is assigned to the user as the authorization VLAN. If the VLAN is not found in the group, the VLAN authorization fails. If the 802.1X-enabled port performs port-based access control, the device selects the VLAN with the lowest ID from the group of VLANs. All subsequent 802.1X users are assigned to the VLAN.
VLAN IDs with suffixes	The device selects the leftmost VLAN ID without a suffix, or the leftmost VLAN ID suffixed by u as an untagged VLAN, whichever is more leftmost. The device assigns the untagged VLAN to the port as the PVID, and it assigns the remaining as tagged VLANs. If no untagged VLAN is assigned, the PVID of the port does not change. The port permits traffic from these tagged and untagged VLANs to pass through. For example, the authentication server sends the string 1u 2t 3 to the access device for a user. The device assigns VLAN 1 as an untagged VLAN and other VLANs as tagged VLANs. VLAN 1 becomes the PVID.

Types of VLANs

Authorization VLAN selection and assignment rules

VLANs by IDs
VLANs by names
VLAN group name

If the 802.1X-enabled port performs MAC-based access control, the device selects a VLAN to be the authorization VLAN of a user, depending on whether the port has other online users:

If the port does not have other online users, the device selects the VLAN with the lowest ID from the group of VLANs.
If the port has other online users, the following rules apply:
- If MAC-based VLAN is enabled, the device selects the VLAN that has the fewest number of online users. If two VLANs have the same number of online 802.1X users, the device selects the VLAN with the lower ID.
- If MAC-based VLAN is disabled, the device examines whether the VLAN that has online users is in the group of VLANs. If the VLAN is found in the group, the VLAN is assigned to the user as the authorization VLAN. If the VLAN is not found in the group, the VLAN authorization fails.

If the 802.1X-enabled port performs port-based access control, the device selects the VLAN with the lowest ID from the group of VLANs. All subsequent 802.1X users are assigned to the VLAN.

VLAN IDs with suffixes

The device selects the leftmost VLAN ID without a suffix, or the leftmost VLAN ID suffixed by u as an untagged VLAN, whichever is more leftmost.
The device assigns the untagged VLAN to the port as the PVID, and it assigns the remaining as tagged VLANs. If no untagged VLAN is assigned, the PVID of the port does not change. The port permits traffic from these tagged and untagged VLANs to pass through.

For example, the authentication server sends the string 1u 2t 3 to the access device for a user. The device assigns VLAN 1 as an untagged VLAN and other VLANs as tagged VLANs. VLAN 1 becomes the PVID.

NOTE:

Assign VLAN IDs with suffixes only to hybrid or trunk ports that perform port-based access control.

Local VLAN authorization

The authorization VLAN of an 802.1X user is specified in user view or user group view in the form of VLAN ID on the device. The port through which the user accesses the device is assigned to the VLAN as an untagged member. Tagged VLAN assignment is not supported.

For more information about local user configuration, see "Configuring AAA."

Authorization VLAN manipulation for an 802.1X-enabled port

Table 7 describes how the access device handles VLANs (except for the VLANs specified with suffixes) on an 802.1X-enabled port.

Table 7: VLAN manipulation

Port access control method	VLAN manipulation
Port-based	The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication. If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID. If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change.
MAC-based	For a hybrid port with MAC-based VLAN enabled, the device maps the MAC address of each user to its own authorization VLAN. The PVID of the port does not change. For an access, trunk, or MAC-based VLAN-disabled hybrid port: If the port is assigned to the authorization VLAN as an untagged member, the device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. To ensure successful authentication of subsequent users, authorize the same VLAN to all 802.1X users on the port. If a different VLAN is authorized to a subsequent user, the user cannot pass the authentication. If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change. The device maps the MAC address of each user to its own authorization VLAN.

Port access control method

VLAN manipulation

Port-based

The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication.

If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID. If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change.

MAC-based

For a hybrid port with MAC-based VLAN enabled, the device maps the MAC address of each user to its own authorization VLAN. The PVID of the port does not change.
For an access, trunk, or MAC-based VLAN-disabled hybrid port:
- If the port is assigned to the authorization VLAN as an untagged member, the device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. To ensure successful authentication of subsequent users, authorize the same VLAN to all 802.1X users on the port. If a different VLAN is authorized to a subsequent user, the user cannot pass the authentication.
- If the port is assigned to the authorization VLAN as a tagged member, the PVID of the port does not change. The device maps the MAC address of each user to its own authorization VLAN.


	IMPORTANT: An 802.1X-enabled access port can be assigned to an authorization VLAN only as an untagged member. As a best practice, always assign a hybrid port to a VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.

For an 802.1X authenticated user to access the network on a hybrid port when no authorization VLANs are assigned to the user, perform one of the following tasks:

If the port receives tagged authentication packets from the user in a VLAN, use the port hybrid vlan command to configure the port as a tagged member in the VLAN.
If the port receives untagged authentication packets from the user in a VLAN, use the port hybrid vlan command to configure the port as an untagged member in the VLAN.

On a port with periodic online user reauthentication enabled, the MAC-based VLAN feature does not take effect on a user that has been online since before this feature was enabled. The access device creates a MAC-to-VLAN mapping for the user when the following requirements are met:

The user passes reauthentication.
The authorization VLAN for the user is changed.

For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide. Support for the MAC-based VLAN feature depends on the device model.

prev	up	next
802.1X VLAN manipulation	home	Guest VLAN