802.1x Dynamic VLans

Unanswered Question
Feb 8th, 2010

I'm trying to figure out a way to get to 802.1x and Dynamic Vlans.

I have all types of devices, some login into windows AD some don't.

Is this possilbe?

port is setup to use 802.1x. Radius server first checks against AD, then checks for MAC address, if no conditions are met ports is set to a catch all type VLAN and starts forwarding.

Something like:

1. A Domain user/PC connects, user login to AD and assigned to a user VLan.

2. A printer is connected and assigned to a printer VLan.

3. A guest connects and is assigned to a guest VLan.

I like to not have to put MAC addresses in for PCs that are members of the the windows domain.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Tue, 02/09/2010 - 10:47


Please find the answers inline:

1. A Domain user/PC connects, user login to AD and assigned to a user VLan.

This is possible by using RADIUS extended attributes, to assign VLAN dynamically.. for this to work ,you need to define the radius server host & key on the switch/NAD. then enable dot1x on the switchport, to force authentication through RADIUS.. you can have a NAC client to key-in your AD username/password..  You would need to configure your RADIUS server to send vendor-specific attributes:

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

refer to CCO for more info on how the ACS server is configured for sending this info... apart from this on the switch configure "radius-server host x.x.x.x auth-port 1612 key *****" and the appropriate aaa commands to force dot1x to refer to RADIUS "aaa authentication dot1x default radius"

2. A printer is connected and assigned to a printer VLan.

For printers, or any non-dot1x compliant device, its general to use MAC authentication Bypass feature.. by doing this we can make sure the ports connecting to printers use the default "Switchport access vlan " configuration on these ports.. with MAB, we add the MAC address of the printer on the ACS server (with pw as mac-address) and make sure the printer is authenticated via the switch.. if you dont want to use MAC address for bypassing dot1x, you can probably disable dot1x on such ports.. similar methodology can be adopted for Servers, which wouldnt need dot1x.. since there are few printers & servers on networks, you can disable dot1x on these ports...

3. A guest connects and is assigned to a guest VLan.

This is achieved by using the guest-vlan feature.. guests who dont have dot1x client, will be put on a seperate isolated VLAN called guest vlan.. you can create a vlan say vlan  99 on the switch for guests, and on the switchport configure "dot1x guest-vlan 99" .. this would make sure the guests  are seperated and isolated.. make sure you have vlan ACLs on VLAN 99 to restrict traffic for guest users only to internet, or place them behind DMZ of firewalls... you also have "authentication failure" VLAN which you can enable for production users when they fail authentication...

Refer to this Guide.. it has all information about 802.1x on switches...


Hope this helps.. all the best..


Jiann-Ming Su Wed, 08/25/2010 - 13:51

Is it possible to do dynamic VLAN assignments with MAB?  Or, is dynamic VLAN only available with dot1x?  Thanks for any clarification.

Nathaniel Austin Wed, 09/08/2010 - 06:40

Hi Jiann-Ming,

Yes - you can do dynamic vlan assignment with MAB authentications in addition to your standard dot1x authentications. Many people go this route with IP phones.




This Discussion