FAQ, How to assign vlan dynamically to access interfaces using radius authentication

Publication Date:  2014-11-30 Views:  552 Downloads:  0
Issue Description
This is a FAQ that shows how to implement dynamic assignment to access ports via radius.

To be able to assign VLANs dynamically from the RADIUS server you can use one of the following  standard attributes to deliver the VLAN attribute(RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes, which are supported by all mainstream vendors):

Attribute No.        Attribute Name                              Description

64                 Tunnel-Type                              Protocol type of the tunnel. The value is fixed as 13, indicating VLAN.

65                Tunnel-Medium-Type                        Medium type used on the tunnel. The value is fixed as 6, indicating Ethernet.

81                Tunnel-Private-Group-ID              Tunnel private group ID, which is used to deliver user VLAN IDs.

Please check this.          

Have a look into below example, this is configuration that works fine for dynamic vlan association.


interface GigabitEthernet0/0/3

description Test-port

port hybrid pvid vlan 710

undo port hybrid vlan 1

port hybrid untagged vlan 301 501 710

dot1x enable

dot1x max-user 10

dot1x authentication-method eap

Communication will work on any of 301, 501 or 710.