Re: 802.1x with Vlan assigment

ehuamannahui · ‎06-19-2007

Hello, I have a switch 2960G, according to the datasheet it supports 802.1.x with vlan assigment.

I wonder what elements do I need in order to implement that solutions.

The idea is every time user A is autheticated, the port should be configured to belong to Vlan 2

and for user B, the port should belong to vlan 3, and in case the authentication is failed the port should be configured to belong to vlan 4.

I wonder how the host should connect to the network, will it work using static ip address or I need a DHCP server?

The radius will belong to vlan 2.

I hope you can help on that.

Thanks and best regards

Edgar

wong34539 · ‎06-25-2007

In the supervisor engine software releases prior to software release 7.2(2), once the 802.1X host is authenticated, it joins an NVRAM-configured VLAN. With software release 7.2(2) and later releases, after authentication, an 802.1X host can receive its VLAN assignment from the RADIUS server.

The VLAN assignment feature allows you to restrict users to a specific VLAN. For example, you could put the guest users in a VLAN with limited access to the network.

The 802.1X authenticated ports are assigned to a VLAN based on the username of the host that is connected to the port. This feature works with the RADIUS server that has a database of username-to-VLAN mappings.

After a successful 802.1X authentication of the port, the RADIUS server sends the VLAN in which the user needs to be given access

ehuamannahui · ‎06-25-2007

Hello wong,

Thanks for answer. I still wonder how the user should connect to the network. I wonder if the 802.1x host need an static IP address before to be authenticated. In case it works with dynamic ip address, when the Ip address is assigne before or after the authentication.

If it were after, will I need to two dhcp server one for the secure vlan and the other to the guest vlan?

Thanks a lot for your answers,

Edgar

Jagdeep Gambhir · ‎06-25-2007

Edgar,

First the user gets authenticated then it get the IP address.

You will just need one DHCP server, and in that you can define pools as per the VLAN.

After a VLAN change (new authentication with user belonging to different VLAN) following

happens:

1. Machine tries three to get previous IP address (DHCP request) --> this takes about 10 second.

2. Then it is doing a new DHCP discovery and gets the proper IP address.

~JG

Please rate if helps !

Jagdeep Gambhir · ‎06-25-2007

Hi,

It would be better to have ip address assigned by DHCP server.

So you need here is a Switch supporting Dot1x,

Radius and a Dhcp server.

The RADIUS server must return these attributes to the switch.

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

# RADIUS configuration

set radius server auth-port 1812 primary

set radius key

# Global 802.1x configuration

set dot1x system-auth-control enable

set dot1x quiet-period 10 (default: 30)

set dot1x tx-period 10 (default: 30)

set dot1x supp-timeout 5 (default: 30)

set dot1x server-timeout 5 (default: 30)

set dot1x max-req 4 (default: 2)

set dot1x re-authperiod

# Port Level 802.1x configuration

set port dot1x port-control auto

set port dot1x port-control force-authorized

set port dot1x multiple-host enable/disable

set port dot1x re-authentication enable/disable

Hope that helps !

Regards,

~JG