Configuring dynamic vlan assignment, Vlan assignment modes, Configuring dynamic vlan list assignment – H3C Technologies H3C S3600 Series Switches User Manual

2-6

accounting. In this case, if the combined scheme uses RADIUS or HWTACACS, the system never

uses the secondary scheme for authorization and accounting.

z

If you configure no separate scheme, the combined scheme is used for authentication,

authorization, and accounting. In this case, if the system uses the secondary local scheme for

authentication, it also does so for authorization and accounting; if the system uses the first scheme

for authentication, it also does so for authorization and accounting, even if authorization and

accounting fail.

Configuring Dynamic VLAN Assignment

VLAN assignment modes

In networks where 802.1x and MAC address authentications are used, RADIUS servers are often used

to control the access rights of authenticated users by issuing dynamic VLANs. By receiving and

resolving RADIUS packets, the switches can assign the ports connecting to users to specific VLANs,

thus controlling the users’ access to network resources.

Currently, the switch supports the following two types of assigned VLAN IDs: integer, string, and VLAN

list.

z

Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, you can set the

VLAN assignment mode to integer on the switch (this is also the default mode on the switch). Then,

upon receiving an integer ID assigned by the RADIUS authentication server, the switch adds the

port to the VLAN whose VLAN ID is equal to the assigned integer ID. If no such a VLAN exists, the

switch first creates a VLAN with the assigned ID, and then adds the port to the newly created

VLAN.

z

String: If the RADIUS authentication server assigns string type of VLAN IDs, you can set the VLAN

assignment mode to string on the switch. Then, upon receiving a string ID assigned by the RADIUS

authentication server, the switch compares the ID with existing VLAN names on the switch. If it

finds a match, it adds the port to the corresponding VLAN. Otherwise, the VLAN assignment fails

and the user fails the authentication.

z

VLAN list: For users connected to an authentication port to access resources in different VLANs,

on the RADIUS server, you can configure a VLAN list, assign the port to all the VLANs in the VLAN

list, and specify the tagging mode in which the port joins a VLAN, that is, specify whether the port

sends the data frames of that VLAN with the VLAN tag attached. In this case, you need to make

some configurations on the switch too, so that the switch can recognize the VLAN list carried in a

RADIUS packet and assign the port to the VLANs specified in the VLAN list. Configuring a switch to

recognize VLAN lists carried in RADIUS packets is referred to as the configuration of Auto VLAN in

this document.

Configuring dynamic VLAN list assignment

The RADIUS server issues a VLAN list to a switch by sending RADIUS packets. Each RADIUS packet

contains a Tunnel-Private-Group-ID attribute (attribute 81 in the RADIUS standard) string, which

includes one or multiple number+suffix combinations (such as 1u, 2t, and 3) that indicate a VLAN list,

where: a number indicates a VLAN ID, and a suffix indicates whether data frames of the VLAN are sent

tagged.

When the switch receives the VLAN list information, it assigns the authentication port to the VLANs in

the VLAN list, and specifies whether the frames of a VLAN are sent tagged according to the suffix of the

VLAN ID in the VLAN list as follows: