Enabling the authorization VLAN auto-tag feature for MAC authentication

After this feature is enabled on a port, the port will not examine whether the port permits the VLANs tagged in received packets to pass. Packets tagged with VLAN IDs can trigger MAC authentication even though the tagged VLAN IDs are not permitted on the port. When a user passes MAC authentication on a port, the device follows these rules to assign the port to the authorization VLAN:

• If the MAC-authentication-triggered packet is tagged with a VLAN ID, the device assigns the port to the authorization VLAN as a tagged member.

  If no authorization VLAN is assigned to the user, the port is automatically assigned to the VLAN tagged in the packet as a tagged member.

• If the MAC-authentication-triggered packet does not contain a VLAN tag, the device assigns the port to the authorization VLAN as an untagged member.

  If no authorization VLAN is assigned to the user, the port is automatically assigned to the port VLAN as an untagged member.

When the ignore-config mode is enabled, the device ignores the static VLAN assignment configuration for a port. Whether the port is assigned to the authorization VLAN as a tagged member is determined only by the authorization VLAN auto-tag feature.

When the ignore-config mode is disabled, the tagging status of the port in the authorization VLAN is determined by the static VLAN assignment configuration for the port. For information about the static VLAN assignment configuration for a port, see the port hybrid vlan vlan-list { tagged | untagged command in Layer 2–LAN Switching Command Reference.

This feature takes effect only on hybrid ports with MAC-based VLAN enabled.

The port's tagging status configuration in the authorization VLAN by this feature takes precedence over the AAA server's configuration of the port's tagging status in the authorization VLAN. However, when the authorization VLAN is the port VLAN, this command does not take effect.

When a port is enabled with this feature, do not use the undo vlan command to delete the authorization VLANs authorized to authenticated users.

When you configure this feature on a port, make sure the port does not have online users. This feature will not take effect if there are online users.

1. Enter system view.

   system-view

2. Enter interface view.

   interface interface-type interface-number

3. Enable the authorization VLAN auto-tag feature for MAC authentication.

   mac-authentication auto-tag [ ignore-config ]

   By default, the authorization VLAN auto-tag feature is disabled for MAC authentication. The AAA server's configuration of the port's tagging status in the authorization VLAN applies.