Configuring dynamic vlan assignment, Configuring dynamic vlan assignment -5 – H3C Technologies H3C WX3000 Series Unified Switches User Manual

25-5

z

If a combined AAA scheme is configured as well as the separate authentication, authorization and
accounting schemes, the separate ones will be adopted in precedence.

z

RADIUS scheme and local scheme do not support the separation of authentication and
authorization. Therefore, pay attention when you make authentication and authorization
configuration for a domain: When the scheme radius-scheme or scheme local command is
executed and the authentication command is not executed, the authorization information returned
from the RADIUS or local scheme still takes effect even if the authorization none command is
executed.

Configuring Dynamic VLAN Assignment

The dynamic VLAN assignment feature enables a device to dynamically add the ports of successfully
authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so
as to control the network resources that different users can access.

Currently, the device supports the following two types of assigned VLAN IDs: integer and string.

z

Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, you can set the
VLAN assignment mode to integer on the device (this is also the default mode on the device). Then,
upon receiving an integer ID assigned by the RADIUS authentication server, the device adds the
port to the VLAN whose VLAN ID is equal to the assigned integer ID. If no such a VLAN exists, the
device first creates a VLAN with the assigned ID, and then adds the port to the newly created
VLAN.

z

String: If the RADIUS authentication server assigns string type of VLAN IDs, you can set the VLAN
assignment mode to string on the device. Then, upon receiving a string ID assigned by the
RADIUS authentication server, the device compares the ID with existing VLAN names on the
device. If it finds a match, it adds the port to the corresponding VLAN. Otherwise, the VLAN
assignment fails and the user fails the authentication.

In actual applications, to use this feature together with Guest VLAN, you should better set port control to
port-based mode. For more information, refer to the section discussing basic 802.1x configuration in

802.1x and System Guard Operation

in H3C WX3000 Series Unified Switches Switching Engine

Configuration Guide.

Follow these steps to configure dynamic VLAN assignment

To do…

Use the command…

Remarks

Enter system view

system-view

—

Create an ISP domain and enter its
view

domain

isp-name —

Set the VLAN assignment mode

vlan-assignment-mode

{ integer

| string

}

Optional
By default, the VLAN assignment
mode is integer.

Create a VLAN and enter its view

vlan

vlan-id —