73
Table 7
VLAN assignment in MAC-based access control mode
Link type
VLAN assignment
Access
Sets the VLAN ID assigned through the Tunnel attributes to the first authenticated
user as the PVID on the port.
If a different VLAN is assigned to a subsequent user, the user cannot pass the
authentication. To avoid the authentication failure of subsequent users, be sure to
assign the same VLAN to all 802.1X users that are attached to an access port.
Trunk
•
Sets the VLAN assigned through the Tunnel attributes as the PVID on the port.
•
Assigns the port to VLANs assigned through the Egress-VLANID or
Egress-VLAN-Name attribute.
Hybrid
•
If MAC-based VLAN is disabled, the VLAN assignment actions are the same as
on a trunk port.
•
If MAC-based VLAN is enabled, the device does the following actions:
{
Maps the user's MAC address to the VLAN assigned through the Tunnel
attributes, and sets the VLAN as an untagged VLAN.
{
Maps the user's MAC address to the VLAN assigned through the
Egress-VLANID or Egress-VLAN-Name attribute, and sets the VLAN as a
tagged VLAN.
When a user logs off, the MAC-to-VLAN mapping for the user is removed.
If MAC-based VLAN is enabled, the device does not replace the PVID on the port
with a server assigned VLAN, regardless of whether the assignment is through
Tunnel attributes or the Egress-VLANID attribute.
On a periodic online user re-authentication enabled port, if a user has been online before you enable the
MAC-based VLAN function, the device does not create a MAC-to-VLAN mapping for the user unless the
user passes re-authentication and the VLAN for the user has changed.
For more information about VLAN configuration and MAC-based VLAN, see
Layer 2
—
LAN Switching
Configuration Guide
.
VLAN group assignment
Use VLAN group assignment to balance users across several VLANs.
VLAN group assignment allows the authentication server to assign a VLAN group to the access device
for an 802.1X user. From this VLAN group, the device picks a VLAN for the 802.1X user in the following
order:
1.
Selects the VLAN that has the fewest number of online 802.1X users.
If a port performs port-based access control, all 802.1X users attached to the port are counted as
one user.
2.
If two VLANs have the same number of 802.1X users, the device selects the VLAN with the lower
ID.
Guest VLAN
You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X
authentication, so they can access a limited set of network resources, such as a software server, to
download anti-virus software and system patches. After a user in the guest VLAN passes 802.1X
authentication, it is removed from the guest VLAN and can access authorized network resources. The
way that the network access device handles VLANs on the port differs by 802.1X access control mode.