8.2.2 Dynamic VLAN
When a terminal with membership to the pre-authentication VLAN undergoes successful authentication in dynamic VLAN mode, the switch registers the terminal in a MAC VLAN and enters it in a MAC address table based on the VLAN ID provided by the internal Web authentication DB or the RADIUS server. As a result, the terminal gains access to the post-authentication VLAN. For this to work, the following configuration is required:
-
The ports in the MAC VLAN must be configured as authentication ports
-
An access list must be configured that prohibits unnecessary communication between the pre-authentication and post-authentication VLANs
- <Structure of this section>
(1) Local authentication method
The figure below describes local authentication using an internal Web authentication DB.
|
|
![[Figure Data]](./GRAPHICS/ZU208055.GIF)
-
A user of a PC connected via a hub opens a Web browser and accesses the Switch.
-
The Switch compares the user ID and password entered by the user against the user information in the internal Web authentication DB.
-
If authentication succeeds, a page appears on the PC indicating that authentication was successful, and the PC gains membership to the post-authentication VLAN.
-
The authenticated PC is able to access servers in the post-authentication VLAN.
(2) RADIUS authentication-method
The figure below describes RADIUS authentication using a RADIUS server.
|
|
![[Figure Data]](./GRAPHICS/ZU208056.GIF)
-
A user of a PC connected via a hub opens a Web browser and accesses the Switch.
-
Authentication takes place by comparing the user ID and password entered by the user against the user information registered on the RADIUS server.
-
If authentication succeeds, a page appears on the PC indicating that authentication was successful, and the PC gains membership to the post-authentication VLAN.
-
The authenticated PC is able to access servers in the post-authentication VLAN.