Cisco Systems WSC4500X16SFP Using 802.1X Authentication for Guest VLANs

29-6

Software Configuration Guide—Release 12.2(25)SG

OL-7659-03

Chapter29 Understanding and Configuring 802.1X Port-Based Authentication

Understanding 802.1X Port-Based Authentication

•If a guest VLAN is configured to handle non-responsive hosts, the type of VLAN configured a s the

guest VLAN must match the port type (that is, guest VLAN s configured on access ports must be

standard VLANs, and guest VLANs configured on private-VLAN host ports must be PVLANs. If

the guest VLAN’s type does not match the port type, non-responsive hosts are treated as if no guest

VLAN is configured (that is, they are denied network access).

•To assign a port into a PVLAN, the named VLAN must be a secondary PVLAN. The switch

determines the implied primary VLAN from the locally configured secondary-primary association.

•You cannot configure voice VLANs on a private VLAN port.

Note If the port mode is changed from private VLAN host mode to access mode when the port is authorized

with a RADIUS-assigned private VLAN, the port is moved to the configured access VLAN. Similarly,

when the port mode is changed from access mode to private VLAN ho st mode, the port is moved into

the configured private VLANs.

Note If you configure a different VLAN when the port is authorized with a RADIUS-assigned private VLAN,

the port remains in the RADIUS-assigned private VLAN, but the configured private VLAN i s changed.

To configure VLAN assignment you need to perform these tasks:

•Enable AAA authorization with the network keyword to allow interface configuration from the

RADIUS server. For an illustration of how to apply the aaa authorization network group radius

command, refer to the section “Enabling 802.1X Authentication” on page 16.

•Enable 802.1X. (The VLAN assignment feature is automatically enabled when you configure

802.1X on an access port.)

•Assign vendor-specific tunnel attributes in the RADIUS server. To ensure proper VLAN assignment,

the RADIUS server must return these attributes to the switch:

–

Tunnel-Type = VLAN

–

Tunnel-Medium-Type = 802

–

Tunnel-Private-Group-ID = VLAN NAME

Using 802.1X Authentication for Guest VLANs

You can use guest VLANs to enable non-802.1X-capable hosts to access networks that use 802.1X

authentication. For example, you can use guest VLANs while you are upgrading your system to support

802.1X authentication.

Guest VLANs are supported on a per-port basis, and you can use any VLAN as a guest VLAN as long

as its type matches the type of the port. If a port is already forwarding on the guest VLAN and you enable

802.1X support on the network interface of the host, the port is immediately moved out of the guest

VLAN and the authenticator waits for authentication to occur.

Enabling 802.1x authentication on a port starts the 802.1X protocol. If the host fails to respond to packets

from the authenticator within a certain amount of ti me, the authenticator brings the port up in the

configured guest VLAN.

If the port is configured as a private VLAN host port, the guest VLAN must be a secondary private

VLAN. If the port is configured as an access port, the guest VLAN must be a regular VLAN. If the guest

VLAN configured on a port is not appropriate for the type of the port, the switch be haves as if no guest

VLAN is configured (that is, non-responsive hosts are denied network access).