Reference Guide
Network Security 255
•
Multi-Session Dot1x
—Every device (supplicant) connecting to a port
must be authenticated and authorized by the switch (authenticator),
separately in a different Dot1x session. This is the only mode that supports
Dynamic VLAN Assignment (DVA).
Dynamic VLAN Assignment (DVA)
Dynamic VLAN Assignment (DVA) is also referred to as RADIUS VLAN
Assignment in this guide. When a port is in Multiple Session mode and is
DVA-enabled, the switch automatically adds the port as an untagged member
of the VLAN that is assigned by the RADIUS server during the authentication
process. The switch classifies untagged packets to the assigned VLAN if the
packets originated from the devices or ports that are authenticated and
authorized.
For a device to be authenticated and authorized at a DVA-enabled port:
• The RADIUS server must authenticate the device and dynamically assign
a VLAN to the device.
• The assigned VLAN must not be the default VLAN and must have been
created on the switch.
• The switch must not be configured to use both a DVA and a MAC-based
VLAN group.
• A RADIUS server must support DVA with RADIUS attributes tunnel-type
(64) = VLAN (13), tunnel-media-type (65) = 802 (6), and tunnel-private-
group-id = a VLAN ID.
Dynamic Policy/ACL Assignment
The Dynamic Policy/ACL Assignment feature enables specifying a user-
defined ACL or policy in the RADIUS server. After a successful
authentication, the user is assigned that ACL.
Authentication Methods
The possible authentication methods are:
•
Dot1x
— The switch supports this authentication mechanism, as
described in the standard, to authenticate and authorize Dot1x
supplicants.