5-34
RADIUS Authentication, Authorization, and Accounting
VLAN Assignment in an Authentication Session
VLAN Assignment in an Authentication
Session
A switch supports concurrent 802.1X and either Web- or MAC-authentication
sessions on a port (with up to 32 clients allowed). If you have configured
RADIUS as the primary authentication method for a type of access, when a
client authenticates on a port, the RADIUS server assigns an untagged VLAN
that is statically configured on the switch for use in the authentication session.
(For information on how to configure a user profile on a RADIUS server with
the VLAN to be assigned for 802.1X, Web, or MAC authentication, refer to the
documentation provided with the RADIUS server application.)
If a switch port is configured to accept multiple 802.1X and/or Web- or MAC-
Authentication client sessions, all authenticated clients must use the same
port-based, untagged VLAN membership assigned for the earliest, currently
active client session. On a port where one or more authenticated client
sessions are already running, all clients are on the same untagged VLAN. If the
RADIUS server subsequently authenticates a new client, but attempts to re-
assign the port to a different, untagged VLAN than the one already in use for
the previously existing, authenticated client sessions, the connection for the
new client will fail.
