During an authentication request, network login receives a destination VLAN (if configured on the RADIUS server) to put the authenticated user in.
The VLAN must exist on the switch for network login to authenticate the client on that VLAN.
NoteDynamically created VLANs do not support the session refresh feature of web-based network login because dynamically created VLANs do not have an IP address.
By dynamically creating and deleting VLANs, you minimize the number of active VLANs configured on your edge switches. In addition, the dynamic VLAN name can be stored on the RADIUS server and supplied to the switch during authentication, simplifying switch management. A key difference between dynamically created VLANs and other VLANs is that the switch does not save dynamically created VLANs. Even if you use the save command, the switch does not save a dynamically created VLAN.