Configuring VLAN Authorization

VLAN authorization allows for the dynamic assignment of users to the same VLAN. You configure VLAN authorization attributes within RADIUS. On the switch you enable VLAN authorization both globally and per-port. VLAN authorization is disabled globally by default. VLAN authorization is enabled per port by default. You can also set the VLAN egress format per-port. VLAN egress format defaults to un-tagged.

VLAN egress format can be set as follows:

none – No egress manipulation will be made.
tagged – The authenticating port will be added to the current tagged egress for the VLAN-ID returned.
untagged – The authenticating port will be added to the current untagged egress for the VLAN-ID returned.
dynamic – Egress formatting will be based upon information contained in the authentication response.

The VLAN authorization table will always list any tunnel attribute‘s VIDs that have been received for authenticated end systems, but a VID will not actually be assigned unless VLAN authorization is enabled both globally and on the authenticating port. Dynamic VLAN authorization overrides the port PVID. Dynamic VLAN authorization is not reflected in the show port vlan display. The VLAN egress list may be statically configured, enabled based upon the set vlanauthorization egress command, or have dynamic egress enabled to allow full VLAN membership and connectivity.

VLAN Authorization Configuration describes setting VLAN authorization configuration.

VLAN Authorization Configuration

Step	Task	Command(s)
1	Enable or disable VLAN authorization both globally and per port.	set vlanauthorization {enable \| disable}
2	Reset VLAN authorization configuration to default values for the specified port-list or for all.	clear valanauthorization {port-list \| all}
3	Display VLAN authorization configuration settings for the specified port-list or for all.	show vlanauthorization {port-list \| all}

Setting Dynamic Policy Profile Assignment and Invalid Policy Action

Dynamic policy profile assignment is implemented using the policy mapping table. When VLAN authorization is enabled, authenticated users are dynamically assigned to the received tunnel attribute‘s VID, unless preempted by a policy map-table configuration entry. Dynamic policy profile assignment is supported by mapping a VID to a policy role upon receipt of a RADIUS tunnel attribute.

If the authentication server returns an invalid policy or VLAN to a switch for an authenticating supplicant, an invalid action of forward, drop, or default policy can be configured.

Policy Profile Assignment and Invalid Action Configuration describes setting dynamic policy profile assignment and invalid policy action configuration.

Policy Profile Assignment and Invalid Action Configuration

Step	Task	Command(s)
1	Identify the profile index to be used in the VID-to-policy mapping.	show policy profile all
2	Map the VLAN ID to the profile index.	set policy maptable {vlan-list profile-index \| response {tunnel \| policy \| both}}
3	Display the current maptable configuration.	show policy maptable
4	Set the action to take when an invalid policy or VLAN is received by the authenticating switch.	set policy invalid action {default-policy \| drop \| forward}

Published May 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback