cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1200
Views
0
Helpful
3
Replies

Implementing 802.1x in a per-switch-VLANs topology

pmchandler
Level 1
Level 1

We have multiple 6509E access switches which currently have a unique user VLAN per switch (e.g. access-switch1 users are on vlan 101, access-switch2 users are on vlan 102 etc).

We would like to implement 802.1x so that users either end up on an authorised vlan or a guest vlan depending on successful authentication. However, we would like to keep the per-switch vlan topology so that users on switch1 go onto vlan 101 if authenticated or guest vlan 201 if untrusted and users on switch 2 would go onto vlan 102 if authenticated or 202 if unauthenticated etc.

We are able to get this working with a single trusted vlan and single guest vlan but these would have to span across the whole network. Does any body know if it is possible to allocate vlans within 802.1x depending on which switch they are authenticating to so that they are placed into the correct vlan for that switch?

Thanks in advance.

1 Accepted Solution

Accepted Solutions

howardghooper
Level 1
Level 1

Hi Paul,

Dot1x RFC 3580 specifies that the Tunnel-Private-Group-ID tunnel attribute carries a string and not specifically a number so the solution to your problem can be achieved by entering the VLAN name into the RADIUS server and configuring your access switches with the individual VLAN's you wish to use on each one but those VLANs that have the same function across switches must have the same name that you entered into the RADIUS server exactly e.g.

switch1 - VLAN 100 TECH, VLAN 150 GUEST

switch2 - VLAN 200 TECH, VLAN 250 GUEST

Radius entries

, TECH

, GUEST

So if a user with mac1 connects to switch1 or switch2 and are authenticated succesfully the RADIUS server replies with the Tunnel-Private-Group-ID=TECH instead of a 100 or 200, regardless of the local VLAN number on the switch if the name matches the name in the switch configuration the switch will place it into the correct numbered VLAN based on the name, hopefully removing the confusion of having to work out how to put the same user into a different numbered VLAN based on the access switch they connect to at the time.

Hope this helps

Howard

Howard Hooper CCIE 23470

CCNP CCNA CCDA

MCP CWSE

View solution in original post

3 Replies 3

howardghooper
Level 1
Level 1

Hi Paul,

Dot1x RFC 3580 specifies that the Tunnel-Private-Group-ID tunnel attribute carries a string and not specifically a number so the solution to your problem can be achieved by entering the VLAN name into the RADIUS server and configuring your access switches with the individual VLAN's you wish to use on each one but those VLANs that have the same function across switches must have the same name that you entered into the RADIUS server exactly e.g.

switch1 - VLAN 100 TECH, VLAN 150 GUEST

switch2 - VLAN 200 TECH, VLAN 250 GUEST

Radius entries

, TECH

, GUEST

So if a user with mac1 connects to switch1 or switch2 and are authenticated succesfully the RADIUS server replies with the Tunnel-Private-Group-ID=TECH instead of a 100 or 200, regardless of the local VLAN number on the switch if the name matches the name in the switch configuration the switch will place it into the correct numbered VLAN based on the name, hopefully removing the confusion of having to work out how to put the same user into a different numbered VLAN based on the access switch they connect to at the time.

Hope this helps

Howard

Howard Hooper CCIE 23470

CCNP CCNA CCDA

MCP CWSE

Thanks, Howard,

We will try this solution this week and let you know how it works out.

Regards,

Paul.

I can report this solution works fine.

Thanks

Paul

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: