Manualshelf

Reference Guide

ManualsBrandsDell ManualsserversDell Force10 E600i
111112113114115116117118119120
802.1X | 119
Dynamic VLAN Assignment with Port Authentication
FTOS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is
RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x
procedure:
1. The host sends a dot1x packet to the Dell Force10 system.
2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port
number.
3. The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the
VLAN assignment using Tunnel-Private-Group-ID.
Figure 9-5 shows the configuration on the Dell Force10 system before connecting the end-user device in
black and blue text, and after connecting the device in red text. The blue text corresponds to the preceding
numbered steps on dynamic VLAN assignment with 802.1X.
Figure 9-5. Dynamic VLAN Assignment with 802.1X
Step Task
1 Configure 8021.x globally and at interface level (refer to Enabling 802.1X) along with relevant RADIUS server
configurations (Figure 9-5)
2 Make the interface a switchport so that it can be assigned to a VLAN.
3 Create the VLAN to which the interface will be assigned.
4 Connect the supplicant to the port configured for 802.1X.
5 Verify that the port has been authorized and placed in the desired VLAN (Figure 9-5, red text).
fnC0065mp
FTOS(conf-if-vl-400)# show config
interface Vlan 400
no ip address
shutdown
FTOS#show vlan
Codes: * - Default VLAN, G - GVRP VLANs
Q: U - Untagged, T - Tagged
x - Dot1x untagged, X - Dot1x tagged
G - GVRP tagged
NUM Status Description Q Ports
* 1 Inactive U Gi 1/10
400 Inactive
FTOS#show vlan
Codes: * - Default VLAN, G - GVRP VLANs
Q: U - Untagged, T - Tagged
x - Dot1x untagged, X - Dot1x tagged
G - GVRP tagged
NUM Status Description Q Ports
* 1 Inactive
400 Active U Gi 1/10
radius-server host 10.11.197.169 auth-port 1645
key 7 387a7f2df5969da4
1/10
FTOS(conf-if-gi-1/10)#show config
interface GigabitEthernet 1/10
no ip address
switchport
dot1x authentication
no shutdow
F
TOS#show dot1x interface gigabitethernet 1/10
8
02.1x information on Gi 1/10:
-
----------------------------
D
ot1x Status: Enable
P
ort Control: AUTO
P
ort Auth Status: AUTHORIZED
R
e-Authentication: Disable
U
ntagged VLAN id: 400
T
x Period: 30 seconds
Q
uiet Period: 60 seconds
R
eAuth Max: 2
S
upplicant Timeout: 30 seconds
S
erver Timeout: 30 seconds
R
e-Auth Interval: 3600 seconds
M
ax-EAP-Req: 2
A
uth Type: SINGLE_HOST
A
uth PAE State: Authenticated
B
ackend State: Idle
RADIUS Server
End-user Device
Dell Force10 switch
1
2
1
3
4