Users Guide
Figure 12. Dynamic VLAN Assignment
1. Congure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server congurations.
2. Make the interface a switchport so that it can be assigned to a VLAN.
3. Create the VLAN to which the interface is assigned.
4. Connect the supplicant to the port congured for 802.1X.
5. Verify that the port has been authorized and placed in the desired VLAN.
Guest and Authentication-Fail VLANs
Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the
supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is congured or
the VLAN that the authentication server indicates in the authentication data.
NOTE: Ports cannot be dynamically assigned to the default VLAN.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not
appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the
network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate
themselves. To be able to connect such devices, they must be allowed access the network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation regarding non-802.1X capable devices and the Authentication-fail VLAN
802.1X extension addresses this limitation regarding external users.
• If the supplicant fails authentication a specied number of times, the authenticator places the port in the Authentication-fail
VLAN.
802.1X
105