Download User Manual

23
Security: 802.1X Authentication
Authenticator Overview
NOTE RADIUS VLAN assignment is only supported on the Sx500 devices when the
device is in Layer 2 system mode. The SG500X and SG500XG devices act like
Sx500 devices when they are in basic and advanced hybrid stacking mode.
For a device to be authenticated and authorized at a port which is DVA-enabled:
•
The RADIUS server must authenticate the device and dynamically assign a VLAN to the device. You
can set the RADIUS VLAN Assignment field to static in the Port Authentication page. This enables the
host to be bridged according to static configuration.
•
A RADIUS server must support DVA with RADIUS attributes tunnel-type (64) = VLAN (13), tunnelmedia-type (65) = 802 (6), and tunnel-private-group-id = a VLAN ID.
When the RADIUS-Assigned VLAN feature is enabled, the host modes behave as follows:
•
Single-Host and Multi-Host Mode
Untagged traffic and tagged traffic belonging to the RADIUS-assigned VLAN are bridged via this
VLAN. All other traffic not belonging to unauthenticated VLANs is discarded.
•
Full Multi-Sessions Mode
Untagged traffic and tagged traffic not belonging to the unauthenticated VLANs arriving from the
client are assigned to the RADIUS-assigned VLAN using TCAM rules and are bridged via the VLAN.
•
Multi-Sessions Mode in Layer 3 System Mode
This mode does not support RADIUS-assigned VLAN, except for SG500X and SG500XG devices in
native stacking mode
The following table describes guest VLAN and RADIUS-VLAN assignment support depending on authentication
method and port mode.
VLAN and RADIUS-VLAN Assignment
Authentication
Method
Single-host
Multi-host
Multi-sessions
Device in L3
Device in L2
802.1x
†
†
N/S
†
MAC
†
†
N/S
†
WEB
N/S
N/S
N/S
N/S
Legend:
†—The port mode supports the guest VLAN and RADIUS-VLAN assignment
N/S—The port mode does not support the authentication method.
Cisco Small Business 500 Series Stackable Managed Switch Administration Guide
436