RFC 4675 RADIUS Attributes: Egress VLAN

Egress VLAN controls egress traffic. Egress VLAN supports two standard RADIUS attributes as defined in RFC 4675:

RADIUS attributes control the 802.1Q tagging for traffic egressing a port where RADIUS authentication is performed for a connected EAP or NEAP client.

Egress VLANs are standard attributes, therefore the RADIUS server supports the attributes by default and offer the ability to configure the attributes. Each attribute has two parts:
  1. Indicates if the frames on the VLAN egress must be tagged or untagged

  2. Specifies the VLAN name or VLAN ID

The switch applies the VLAN received in the Egress-VLAN attributes to the port where the client is authenticated through RADIUS and then sets the tagging rules (tagged or untagged) accordingly.

The switch processes the Egress-VLAN attributes when decoding the RADIUS packet, therefore the switch adds the port to the VLANs first and then sets the proper tagging for the VLANs. You must create VLANs in advance on the switch.

In the MultiVlan operation mode, the EAP applies ingress hardware rules to ensure untagged traffic from each authenticated client goes into its own VLAN. The unauthenticated clients send traffic to the Guest VLAN, which matches the default VLAN ID.

For more information, see VLAN RADIUS Attributes.