The Extreme 802.1X implementation supports assigning a port to a VLAN dynamically, based on information received from an authentication server (RADIUS server).
When a client or supplicant successfully completes the EAP authentication process, the authentication server (RADIUS server) sends the authenticator (the device) a RADIUS Access-Accept message that grants the client access to the network. The RADIUS Access-Accept message contains attributes set for the user in the user's access profile on the RADIUS server.
If one of the attributes in the Access-Accept message specifies a VLAN identifier (ID), and this VLAN is available on the device, the client‘s port is moved from its default VLAN to the specified VLAN. When the client disconnects from the network, the port is placed back in its default VLAN.
To enable 802.1X VLAN ID support on the device, you must add the following attributes to a user‘s profile on the RADIUS server.
|
Attribute name |
Type |
Value |
|---|---|---|
|
Tunnel-Type |
064 |
13 (decimal) - VLAN |
|
Tunnel-Medium-Type |
065 |
6 (decimal) - 802 |
|
Tunnel-Private-Group-ID |
081 |
vlan-number (decimal). |
The device reads the attributes as follows: