10.2.2 Dynamic VLAN
When a terminal with membership to the pre-authentication VLAN undergoes successful authentication in dynamic VLAN mode, the terminal is registered in a MAC VLAN and a MAC address table based on a VLAN ID provided by the internal MAC-based authentication DB or the RADIUS server. As a result, the terminal gains access to the post-authentication VLAN. For this to work, the following configuration is required:
-
The ports in the MAC VLAN must be configured as authentication ports
For a device to have access to the pre-authentication VLAN, you need to make sure that the authentication IPv4 access list contains the necessary filter conditions.
- <Structure of this section>
(1) Local authentication method
In local authentication, the switch compares the source MAC address of frames received at a MAC-based authentication port against the MAC addresses registered in the internal MAC-based authentication DB. If the source MAC address matches an entry in the database, the switch registers the MAC address of the device in a MAC VLAN and MAC address table based on the VLAN ID that the database provides. The device is then able to access the post-authentication VLAN.
|
|
![[Figure Data]](./GRAPHICS/ZU208522.GIF)
(2) RADIUS authentication-method
In RADIUS authentication, the switch submits the source MAC address of frames received at a MAC-based authentication port to the RADIUS server for authentication. If the source MAC address matches an entry on the server, the switch registers the MAC address of the device in a MAC VLAN and MAC address table based on the VLAN ID that the RADIUS server provides. The device is then able to access the post-authentication VLAN.
You can use the mac-authentication password configuration command to set the password that the switch uses when submitting an authentication request to the RADIUS server. If you omit this command, the switch uses the device's MAC address as the password.
|
|
![[Figure Data]](./GRAPHICS/ZU208523.GIF)