12.2.3 Dynamic VLAN setting

The following figure shows a sample configuration for multi-step authentication in dynamic VLAN mode.

Figure 12-3: Example of configuring multi-step authentication in dynamic VLAN mode

In this case, you connect a guest user (PC) and an employee user (PC) to the user authentication options port. Guest users perform authentication using the user authentication authorization option (Web authentication (user authentication) after failing MAC authentication (terminal authentication)) and switch to VLAN(VLAN 30 after authentication is successful. Employee users authenticate with multi-step authentication (MAC authentication and Web authentication), but switch to MAC authentication successful and post-authentication VLAN(VLAN 40.

The guest user tries to authenticate MAC after authentication fails. Therefore, the guest user obtains Web address from VLAN before authentication from DHCP server. However, the employee user tries to authenticate Web after successful authentication of MAC authentication, so IP address is obtained from DHCP server by VLAN after authentication.

Points to note

In this example, the following items are set for the port subject to authentication:

Setting Up Individual VLAN Including MAC VLAN
Configure the 802.1x Authentication Method
Configuring MAC Ports and Native VLAN
Setting for terminal authentication (MAC authentication)
Configuring User Authentication (Web Authentication)
Configuring the multi-step authentication port (with the user authentication authorization option)
Setting the authentication IPv4 access list

For the settings required for Web authentication, see "9 Web Authentication Setting and Operation" and for the settings required for MAC authentication, see "11 MAC Authentication Setting and Operation".

Command examples

(config)# vlan 30 mac-based

(config-vlan)# exit

(config)# vlan 40 mac-based

(config-vlan)# exit

Set VLAN ID 30 and 40 to MAC VLAN. (Set the same VLAN ID as the post-authentication VLAN notified by RADIUS servers.)
(config)# vlan 20

(config-vlan)# exit

Set VLAN ID 20.
(config)# aaa authentication mac-authentication default group radius

(config)# aaa authentication web-authentication default group radius

Sets RADIUS authentication as the authentication method for MAC authentication and Web authentication.
(config)# interface gigabitethernet 0/1

(config-if)# switchport mode mac-vlan

(config-if)# switchport mac native vlan 20

Sets port 0/1 as MAC port. It also sets the native VLAN20 (pre-authentication VLAN) of MAC port.
(config-if)# web-authentication port

(config-if)# mac-authentication port

(config-if)# authentication multi-step permissive

(config-if)# exit

Sets Web authentication, MAC authentication, and multi-step authentication (with user authentication authorization option) for port 0/1.
(config-if)# authentication ip access-group L2-AUTH

(config-if)# authentication arp-relay

(config-if)# exit

Sets the authentication-only IPv4 access list for frames from pre-authentication terminals on port 0/1. Also, set ARP frame forwarding from the unauthenticated terminal.
(config)# ip access-list extended L2-AUTH

(config-ext-nacl)# permit udp any any eq bootps

(config-ext-nacl)# exit

Configures an authentication-only IPv4 access list that allows forwarding of DHCP frames (bootps) from pre-authentication terminals.

Notes: If there is no post-authentication VLAN in RADIUS property for successful authentication (Accept) reception from MAC server, the terminal is stored in the native VLAN of the corresponding port. At this time, the terminal is handled as an authenticated terminal in fixed VLAN mode.