User's Manual
Security: 802.1X Authentication
Authenticator Overview
392 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
19
For a device to be authenticated and authorized at a port which is DVA-enabled:
• The RADIUS server must authenticate the device and dynamically assign a 
VLAN to the device. You can set the RADIUS VLAN Assignment field to 
static in the Port Authentication page. This enables the host to be bridged 
according to static configuration.
• A RADIUS server must support DVA with RADIUS attributes tunnel-type 
(64) = VLAN (13), tunnel-media-type (65) = 802 (6), and tunnel-private-
group-id = a VLAN ID.
When the RADIUS-Assigned VLAN feature is enabled, the host modes behave as 
follows:
• Single-Host and Multi-Host Mode
Untagged traffic and tagged traffic belonging to the RADIUS-assigned 
VLAN are bridged via this VLAN. All other traffic not belonging to 
unauthenticated VLANs is discarded.
• Full Multi-Sessions Mode 
Untagged traffic and tagged traffic not belonging to the unauthenticated 
VLANs arriving from the client are assigned to the RADIUS-assigned VLAN 
using TCAM rules and are bridged via the VLAN. 
• Multi-Sessions Mode in Layer 3 System Mode
This mode does not support RADIUS-assigned VLAN, except for SG500X 
and SG500XG devices in native stacking mode
The following table describes guest VLAN and RADIUS-VLAN assignment support 
depending on authentication method and port mode. 
Legend:
†—The port mode supports the guest VLAN and RADIUS-VLAN assignment
N/S—The port mode does not support the authentication method.
Authentication 
Method
Single-host Multi-host Multi-sessions
Device in L3 Device in L2
802.1x
††N/S†
MAC
††N/S†
WEB
N/S N/S N/S N/S










