Cisco Systems SF300-24P, SG30052PK9NA, SRW2024PK9NA, SRW224G4K9AR, SRW224G4PK9NA, SRW248G4PK9NA Dynamic VLAN Assignment (DVA)

Security

Configuring 802.1X

Cisco Small Business 300 Series Managed Switch Administration Guide 330

-Single session/multiple hosts—This follows the 802.1x standard. In this

mode, the device as an authenticator allows any device to use a port as

long as it has been granted permission.

•Multi-Session 802.1X—Every device (supplicant) connecting to a port

must be authenticated and authorized by the device (authenticator)

separately in a different 802.1x session.

NOTE This is the only mode that supports Dynamic VLAN Assignment (DVA).

Dynamic VLAN Assignment (DVA)

Dynamic VL AN Assig nment (DVA) is al so referred to as RADIU S VLAN As signment

in this guide. When a port is in Multiple Session mode and is DVA-enabled, the

device automatically adds the port as an untagged member of the VLAN that is

assigned by the RADIUS server during the authentication process. The device

classifies untagged packets to the assigned VLAN if the packets originated from

the devices or ports that are authenticated and authorized.

NOTE DVA is only supported when the device is in Layer 2 system mode.

For a device to be authenticated and authorized at a port which is DVA-enabled:

•The RADIUS server must authenticate the device and dynamically assign a

VLAN to the device. The user can configure an alternative VLAN ahead of

time to be used if the RADIUS server does not assign a VLAN.

•The assigned VLAN must not be the default VLAN and must have been

created on the device.

•The device must not be configured to use both a DVA and a MAC-based

VLAN group together.

•A RADIUS server must support DVA with RADIUS attributes tunnel-type

(64) = VLAN (13), tunnel-media-type (65) = 802 (6), and tunnel-private-

group-id = a VLAN ID.

The authentication methods can be:

•802.1x—The device supports the authentication mechanism, as described

in the standard, to authenticate and authorize 802.1x supplicants.

•MAC-based—The device can be configured to use this mode to

authenticate and authorized devices that do not support 802.1x. The device

emulates the supplicant role on behalf of the non 802.1x capable devices,

and uses the MAC address of the devices as the username and password

when communicating with the RADIUS servers. MAC addresses for

username and password must be entered in lower case and with no

Cisco Systems Dynamic VLAN Assignment (DVA)