06-25-2010 07:51 AM - edited 03-10-2019 05:13 PM
We have multiple 6509E access switches which currently have a unique user VLAN per switch (e.g. access-switch1 users are on vlan 101, access-switch2 users are on vlan 102 etc).
We would like to implement 802.1x so that users either end up on an authorised vlan or a guest vlan depending on successful authentication. However, we would like to keep the per-switch vlan topology so that users on switch1 go onto vlan 101 if authenticated or guest vlan 201 if untrusted and users on switch 2 would go onto vlan 102 if authenticated or 202 if unauthenticated etc.
We are able to get this working with a single trusted vlan and single guest vlan but these would have to span across the whole network. Does any body know if it is possible to allocate vlans within 802.1x depending on which switch they are authenticating to so that they are placed into the correct vlan for that switch?
Thanks in advance.
Solved! Go to Solution.
06-28-2010 01:00 AM
Hi Paul,
Dot1x RFC 3580 specifies that the Tunnel-Private-Group-ID tunnel attribute carries a string and not specifically a number so the solution to your problem can be achieved by entering the VLAN name into the RADIUS server and configuring your access switches with the individual VLAN's you wish to use on each one but those VLANs that have the same function across switches must have the same name that you entered into the RADIUS server exactly e.g.
switch1 - VLAN 100 TECH, VLAN 150 GUEST
switch2 - VLAN 200 TECH, VLAN 250 GUEST
Radius entries
So if a user with mac1 connects to switch1 or switch2 and are authenticated succesfully the RADIUS server replies with the Tunnel-Private-Group-ID=TECH instead of a 100 or 200, regardless of the local VLAN number on the switch if the name matches the name in the switch configuration the switch will place it into the correct numbered VLAN based on the name, hopefully removing the confusion of having to work out how to put the same user into a different numbered VLAN based on the access switch they connect to at the time.
Hope this helps
Howard
Howard Hooper CCIE 23470
CCNP CCNA CCDA
MCP CWSE
06-28-2010 01:00 AM
Hi Paul,
Dot1x RFC 3580 specifies that the Tunnel-Private-Group-ID tunnel attribute carries a string and not specifically a number so the solution to your problem can be achieved by entering the VLAN name into the RADIUS server and configuring your access switches with the individual VLAN's you wish to use on each one but those VLANs that have the same function across switches must have the same name that you entered into the RADIUS server exactly e.g.
switch1 - VLAN 100 TECH, VLAN 150 GUEST
switch2 - VLAN 200 TECH, VLAN 250 GUEST
Radius entries
So if a user with mac1 connects to switch1 or switch2 and are authenticated succesfully the RADIUS server replies with the Tunnel-Private-Group-ID=TECH instead of a 100 or 200, regardless of the local VLAN number on the switch if the name matches the name in the switch configuration the switch will place it into the correct numbered VLAN based on the name, hopefully removing the confusion of having to work out how to put the same user into a different numbered VLAN based on the access switch they connect to at the time.
Hope this helps
Howard
Howard Hooper CCIE 23470
CCNP CCNA CCDA
MCP CWSE
06-28-2010 02:39 AM
Thanks, Howard,
We will try this solution this week and let you know how it works out.
Regards,
Paul.
07-13-2010 08:15 AM
I can report this solution works fine.
Thanks
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: