Attribute
Name Type
Value
Tunnel-Type
064
13
(decimal)
–
VLAN
Tunnel-Medium-Type
065
6
(decimal)
–
802
Tunnel-Private-Group-ID 081
(string) – either the name or the number
of a VLAN configured on the Foundry device
The following occurs under Dynamic VLAN Assignment:
1. When the user enters their 802.1X credentials, the Foundry device sends the information to the IAS server
using the RADIUS protocol.
2. The Remote Access Policies on the IAS server is used to determine if the user’s account is a member of a
particular VLAN Group. If the user account is part of a VLAN Group and the authentication is successful, the
VLAN ID associated with the VLAN Group is sent back to the Foundry device using the RADIUS Tunnel-
Private-Group-ID attribute.
3. The port on the Foundry device is dynamically assigned to the VLAN matching the VLAN ID and the user
becomes a member of the Port-Based VLAN.
Conditions that may trigger an unsuccessful authentication and/or Dynamic VLAN assignment include:
• If the Tunnel-Type or the Tunnel-Medium-Type attributes in the RADIUS Access-Accept message do not have
the values specified above, the Foundry device will ignore the three Attribute-Value pairs. If the
authentication credentials supplied were valid, the Foundry device authorizes the port, but the port is not
dynamically placed in a VLAN. Otherwise, the client is not authorized.
• If the Tunnel-Type or the Tunnel-Medium-Type attributes in the RADIUS Access-Accept message have the
values specified above, but there is no value specified for the Tunnel-Private-Group-ID attribute, the client
will not be authorized.
• When the Foundry device receives the value specified for the Tunnel-Private-Group-ID attribute, it checks its
VLANs for a match using both the name and the numeric ID. If there is a match, the port is placed in the
VLAN whose ID corresponds to the VLAN Name or ID. If there is no match, the client is not authorized.
March 2003
©2003 Foundry Networks, Inc.
18
Version 1.0.0
All Rights Reserved.
Chia sẻ với bạn bè của bạn: |