As we all know, RADIUS is often used in network environments that require high security and control remote user access. With Radius we can implement authentication, authorization and accounting for all the users. I don’t want to get into details because the point of this post focuses on just one aspect of all the things you can do with radius: the authorization, more specific the assignement of VLAN from the server .
The authorization server can deliver user authorization information such as a dynamic VLAN to a device through attributes
To assign a vlan to a user after the authentication is succesful we have to deliver the following attributes from the radius-server: (RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes, which are supported by all mainstream vendors):
Standard attributes to deliver the VLAN :
Attribute No. Attribute Name Description
64 Tunnel-Type Protocol type of the tunnel. The value is fixed as 13, indicating VLAN.
65 Tunnel-Medium-Type Medium type used on the tunnel. The value is fixed as 6, indicating Ethernet.
81 Tunnel-Private-Group-ID Tunnel private group ID, which is used to deliver user VLAN IDs.
Configuration example :
As for the configuration, on our device we don’t need anything special. We just have to make sure that we configured correctly the radius server, enabled dot1x on the interface and that the vlan is created on the switch
Let’s say that we have two user groups, user group A and user group B. After the users authenticates successfully , if they are part of group A , they will be allowed in vlan 301, while the others will be allowed in vlan 501. If the authentication fails we will assign them vlan 701