Dell PowerConnect M6220 Configuration Guide - Page 88

X Authentication and VLANs, Authenticated and Unauthenticated VLANs

Get Dell PowerConnect M6220 PDF manuals and user guides View all Dell PowerConnect M6220 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 88 highlights

Maximum Requests 2 Max Users 3 Supplicant Timeout 30 Server Timeout (secs 30 Logical Port ------112 Supplicant MAC-Address 0000.0000.0000 AuthPAE State -------Initialize Backend State -------Idle VLAN Id ----- Username -------- Filter Id ------ 802.1X Authentication and VLANs The PowerConnect 6200 Series switches allow a port to be placed into a particular VLAN based on the result of type of 802.1X authentication a client uses when it accesses the switch. The RADIUS server or IEEE 802.1X Authenticator can provide information to the switch about which VLAN to assign the host (supplicant). When a host connects to a switch that uses a RADIUS server or 802.1X Authenticator to authenticate the host, the host authentication can typically have one of three outcomes: • The host is authenticated. • The host attempts to authenticate but fail because it lacks certain security credentials. • The host is a guest and does not try to authenticate at all. You can create three separate VLANs on the switch to handle hosts depending on whether the host authenticates, fails the authentication, or is a guest. The RADIUS server informs the switch of the selected VLAN as part of the authentication. Authenticated and Unauthenticated VLANs Hosts that authenticate normally use a VLAN that includes access to network resources. Hosts that fail the authentication might be denied access to the network or placed on a "quarantine" VLAN with limited network access. Much of the configuration to assign hosts to a particular VLAN takes place on the RADIUS server or 802.1X authenticator. If you use an external RADIUS server to manage VLANs, you configure the server to use Tunnel attributes in Access-Accept messages in order to inform the switch about the selected VLAN. These attributes are defined in RFC 2868, and their use for dynamic VLAN is specified in RFC 3580. The VLAN attributes defined in RFC3580 are as follows: • Tunnel-Type=VLAN (13) • Tunnel-Medium-Type=802 • Tunnel-Private-Group-ID=VLANID 88 Device Security

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
88
Device Security
Maximum Requests
...............................
2
Max Users
......................................
3
Supplicant Timeout
.............................
30
Server Timeout (secs)
..........................
30
Logical
Supplicant
AuthPAE
Backend
VLAN
Username Filter
Port
MAC-Address
State
State
Id
Id
-------
--------------
--------
-------- ----- --------
------
112
0000.0000.0000
Initialize Idle
802.1X Authentication and VLANs
The PowerConnect 6200 Series switches allow a port to be placed into a particular VLAN based on the
result of type of 802.1X authentication a client uses when it accesses the switch. The RADIUS server or
IEEE 802.1X Authenticator can provide information to the switch about which VLAN to assign the host
(supplicant).
When a host connects to a switch that uses a RADIUS server or 802.1X Authenticator to authenticate
the host, the host authentication can typically have one of three outcomes:
The host is authenticated.
The host attempts to authenticate but fail because it lacks certain security credentials.
The host is a guest and does not try to authenticate at all.
You can create three separate VLANs on the switch to handle hosts depending on whether the host
authenticates, fails the authentication, or is a guest. The RADIUS server informs the switch of the
selected VLAN as part of the authentication.
Authenticated and Unauthenticated VLANs
Hosts that authenticate normally use a VLAN that includes access to network resources. Hosts that fail
the authentication might be denied access to the network or placed on a "quarantine" VLAN with
limited network access.
Much of the configuration to assign hosts to a particular VLAN takes place on the RADIUS server or
802.1X authenticator. If you use an external RADIUS server to manage VLANs, you configure the server
to use Tunnel attributes in Access-Accept messages in order to inform the switch about the selected
VLAN. These attributes are defined in RFC 2868, and their use for dynamic VLAN is specified in RFC
3580.
The VLAN attributes defined in RFC3580 are as follows:
Tunnel-Type=VLAN (13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID