Supplicant and vlan associations – Allied Telesis AT-S63 User Manual

Chapter 36: 802.1x Port-based Network Access Control

436

Section VIII: Port Security

Supplicant and VLAN Associations

One of the challenges to managing a network is accommodating end
users that roam. These are individuals whose work requires that they
access the network resources from different points at different times. The
difficulty arises in providing them with access to the same network
resources and, conversely, restricting them from unauthorized areas,
regardless of the workstation from where they access the network. A
closely related issue is where a workstation is employed at various times
by different individuals with unique requirements in terms of network
resources and security levels.

Providing network users with access to their network resources while also
maintaining network security is often achieved through the use of VLANs.
As explained in “Overview” on page 313, a VLAN is an independent traffic
domain where the traffic generated by the nodes within the VLAN is
restricted to nodes of the same VLAN, unless there is a router or Layer 3
device. Different users are assigned to different VLANs depending on their
resource requirements and security levels.

The problem with a port-based VLAN is that VLAN membership is
determined by the port on the switch to which the device is connected. If a
different device that needs to belong to a different VLAN is connected to
the port, the port must be manually moved to the new VLAN using the
management software.

With 802.1x port-based network access control, you can link a username
and password combination or MAC address to a specific VLAN so that the
switch automatically moves the port to the appropriate VLAN when a client
logs on. This frees the network manager from having to reconfigure
VLANs as end users access the network from different points or where the
same workstation is used by different individuals at different times.

To use this feature, you have to enter a VLAN identifier, along with other
information, when you create a supplicant account on the RADIUS server.
The server passes the identifier to the switch when a user logs on with a
valid username and password combination or MAC address, depending
on the authentication method. The information to provide on the RADIUS
server is outlined in “Supplicant VLAN Attributes on the RADIUS Server”
on page 437.

How the switch responses when it receives VLAN information during the
authentication process can differ depending on the operating mode of the
authenticator port.