Implementing 802.1x in a per-switch-VLANs topology

Answered Question
Jun 25th, 2010
User Badges:

We have multiple 6509E access switches which currently have a unique user VLAN per switch (e.g. access-switch1 users are on vlan 101, access-switch2 users are on vlan 102 etc).


We would like to implement 802.1x so that users either end up on an authorised vlan or a guest vlan depending on successful authentication. However, we would like to keep the per-switch vlan topology so that users on switch1 go onto vlan 101 if authenticated or guest vlan 201 if untrusted and users on switch 2 would go onto vlan 102 if authenticated or 202 if unauthenticated etc.


We are able to get this working with a single trusted vlan and single guest vlan but these would have to span across the whole network. Does any body know if it is possible to allocate vlans within 802.1x depending on which switch they are authenticating to so that they are placed into the correct vlan for that switch?


Thanks in advance.

Correct Answer by howardghooper about 7 years 3 weeks ago

Hi Paul,


Dot1x RFC 3580 specifies that the Tunnel-Private-Group-ID tunnel attribute carries a string and not specifically a number so the solution to your problem can be achieved by entering the VLAN name into the RADIUS server and configuring your access switches with the individual VLAN's you wish to use on each one but those VLANs that have the same function across switches must have the same name that you entered into the RADIUS server exactly e.g.


switch1 - VLAN 100 TECH, VLAN 150 GUEST

switch2 - VLAN 200 TECH, VLAN 250 GUEST


Radius entries

, TECH

, GUEST


So if a user with mac1 connects to switch1 or switch2 and are authenticated succesfully the RADIUS server replies with the Tunnel-Private-Group-ID=TECH instead of a 100 or 200, regardless of the local VLAN number on the switch if the name matches the name in the switch configuration the switch will place it into the correct numbered VLAN based on the name, hopefully removing the confusion of having to work out how to put the same user into a different numbered VLAN based on the access switch they connect to at the time.


Hope this helps


Howard



Howard Hooper CCIE 23470

CCNP CCNA CCDA

MCP CWSE

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
howardghooper Mon, 06/28/2010 - 01:00
User Badges:

Hi Paul,


Dot1x RFC 3580 specifies that the Tunnel-Private-Group-ID tunnel attribute carries a string and not specifically a number so the solution to your problem can be achieved by entering the VLAN name into the RADIUS server and configuring your access switches with the individual VLAN's you wish to use on each one but those VLANs that have the same function across switches must have the same name that you entered into the RADIUS server exactly e.g.


switch1 - VLAN 100 TECH, VLAN 150 GUEST

switch2 - VLAN 200 TECH, VLAN 250 GUEST


Radius entries

, TECH

, GUEST


So if a user with mac1 connects to switch1 or switch2 and are authenticated succesfully the RADIUS server replies with the Tunnel-Private-Group-ID=TECH instead of a 100 or 200, regardless of the local VLAN number on the switch if the name matches the name in the switch configuration the switch will place it into the correct numbered VLAN based on the name, hopefully removing the confusion of having to work out how to put the same user into a different numbered VLAN based on the access switch they connect to at the time.


Hope this helps


Howard



Howard Hooper CCIE 23470

CCNP CCNA CCDA

MCP CWSE

pmchandler Mon, 06/28/2010 - 02:39
User Badges:

Thanks, Howard,


We will try this solution this week and let you know how it works out.


Regards,


Paul.

Actions

This Discussion

Related Content