The authorization server can deliver user authorization information such as a dynamic VLAN to a device through attributes
To assign a vlan to a user after the authentication is succesful we have to deliver the following attributes from the radius-server: (RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes, which are supported by all mainstream vendors):
Standard attributes to deliver the VLAN :
Attribute No. Attribute Name Description
64 Tunnel-Type Protocol type of the tunnel. The value is fixed as 13, indicating VLAN.
65 Tunnel-Medium-Type Medium type used on the tunnel. The value is fixed as 6, indicating Ethernet.
81 Tunnel-Private-Group-ID Tunnel private group ID, which is used to deliver user VLAN IDs.
Configuration example :
As for the configuration, on our device we don’t need anything special. We just have to make sure that we configured correctly the radius server, enabled dot1x on the interface and that the vlan is created on the switch
Let’s say that we have two user groups, user group A and user group B. After the users authenticates successfully , if they are part of group A , they will be allowed in vlan 301, while the others will be allowed in vlan 501. If the authentication fails we will assign them vlan 701