RADIUS Authentication, Authorization, and Accounting

VLAN Assignment in an Authentication Session

VLAN Assignment in an AuthenticationSession

Aswitch supports concurrent 802.1X and either Web- or MAC-authentication sessions on a port (with up to 32 clients allowed). If you have configured RADIUS as the primary authentication method for a type of access, when a client authenticates on a port, the RADIUS server assigns an untagged VLAN that is statically configured on the switch for use in the authentication session. (For information on how to configure a user profile on a RADIUS server with the VLAN to be assigned for 802.1X, Web, or MAC authentication, refer to the documentation provided with the RADIUS server application.)

If a switch port is configured to accept multiple 802.1X and/or Web- or MAC- Authentication client sessions, all authenticated clients must use the same port-based, untagged VLAN membership assigned for the earliest, currently active client session. On a port where one or more authenticated client sessions are already running, all clients are on the same untagged VLAN. If the RADIUS server subsequently authenticates a new client, but attempts to reassign the port to a different, untagged VLAN than the one already in use for the previously existing, authenticated client sessions, the connection for the new client will fail.

5-34