- Configuring IEEE 802.1X Port-Based Authentication
- IEEE 802.1X Common Session ID
- IEEE 802.1X Guest VLAN
- IEEE 802.1X RADIUS Accounting
- IEEE 802.1X Voice VLAN
- IEEE 802.1X VLAN Assignment
- IEEE 802.1X Multiple Authentication
- IEEE 802.1X Multidomain Authentication
- IEEE 802.1X Flexible Authentication
- IEEE 802.1X Open Authentication
- IEEE 802.1X Auth Fail VLAN
- Critical Voice VLAN Support
- IEEE 802.1X Wake on LAN Support
- Per-User ACL Support for 802.1X/MAB/Webauth Users
- VLAN RADIUS Attributes in Access Requests
- Finding Feature Information
- Restrictions for VLAN RADIUS Attributes in Access Requests
- Information About VLAN RADIUS Attributes in Access Requests
- How to Configure VLAN RADIUS Attributes in Access Requests
- Configuration Examples for VLAN RADIUS Attributes in Access Requests
- Additional References for VLAN RADIUS Attributes in Access Requests
- Feature Information for VLAN RADIUS Attributes in Access Requests
VLAN RADIUS Attributes in
VLAN RADIUS Attributes in
Access Requests
The VLAN RADIUS Attributes in Access Requests feature enhances the security for access switches with the use of VLAN RADIUS attributes (VLAN name and ID) in the access requests and with an extended VLAN name length of 128 characters.
This module describes how to create an attribute filter-list and how to bind an attribute filter-list with authentication and accounting requests.
- Finding Feature Information
- Restrictions for VLAN RADIUS Attributes in Access Requests
- Information About VLAN RADIUS Attributes in Access Requests
- How to Configure VLAN RADIUS Attributes in Access Requests
- Configuration Examples for VLAN RADIUS Attributes in Access Requests
- Additional References for VLAN RADIUS Attributes in Access Requests
- Feature Information for VLAN RADIUS Attributes in Access Requests
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for VLAN RADIUS Attributes in Access Requests
-
Dynamic VLAN assignment to critical authentication (inaccessible authentication bypass or AAA fail policy) VLAN is not supported.
-
If the RADIUS server becomes unavailable during an 802.1x authentication exchange, the current exchange times out, and the switch uses critical access control lists (ACLs) during the next authentication attempt.
-
In a scenario when the VLAN RADIUS Attributes in Access Requests feature is enabled on a Catalyst 4000 series switch, reloading the switch with an image that does not support the feature may lead to a crash. To recover the switch, erase the vlan.dat file by issuing the erase cat4000_flash: command. Once the vlan.dat file is erased, reboot the switch with the intended image.
Information About VLAN RADIUS Attributes in Access Requests
VLAN RADIUS attributes
Authentication prevents unauthorized devices (clients) from gaining access to the network by using different methods to define how users are authorized and authenticated for network access. To enhance security, you can limit network access for certain users by using VLAN assignment. Information available in the access-request packets sent to the authentication server (AAA or RADIUS server) validates the identity of the user and defines if a user can be allowed to access the network.
-
If MAC authentication bypass is enabled, the network device relays the client's MAC address to the AAA server for authorization. If the client's MAC address is valid, the authorization succeeds and the network device grants the client access to the network.
-
If web-based authentication is enabled, the network device sends an HTTP login page to the client. The network device relays the client's username and password to the AAA server for authorization. If the login succeeds, the network device grants the client access to the network.
While performing authentications, the VLAN RADIUS attributes (name and ID of the VLAN) assigned to the hosting port is included in the RADIUS access requests and accounting requests. The VLAN RADIUS Attributes in Access Requests feature supports VLAN names accommodating 128-character strings.
With the use of VLAN RADIUS attributes in authentication requests, clients are authorized based on existing VLAN segmented networks. The existing VLAN provisioning is used as an indication of the location.
-
Tunnel-Type (IEFT #64) = VLAN
-
Tunnel-Medium-Type (IEFT #65) = 802 (6)
-
Tunnel-Private-Group-ID (IEFT #81) = [tag, string]
Note | The Tunnel-Private-Group-ID includes the VLAN ID or name and accommodates a string length of up to 253 characters. |
How to Configure VLAN RADIUS Attributes in Access Requests
Configuring VLAN RADIUS Attributes in Access Requests
1.
enable
2.
configure
terminal
3.
access-session attributes
filter-list list
list-name
4.
vlan-id
5.
exit
6.
access-session accounting
attributes filter-spec include list
list-name
7.
access-session
authentication attributes filter-spec include list
list-name
8.
end
DETAILED STEPS
Verifying VLAN RADIUS Attributes in Access Requests
1.
enable
2.
debug radius
3.
show authentication sessions interface
DETAILED STEPS
Configuration Examples for VLAN RADIUS Attributes in Access Requests
Example: Configuring VLAN RADIUS Attributes in Access Requests
Device> enable Device# configure terminal Device(config)# access-session attributes filter-list list test-vlan-extension Device(config-com-filter-list)# vlan-id Device(config-com-filter-list)# exit Device(config)# access-session accounting attributes filter-spec include list mylist Device(config)# access-session authentication attributes filter-spec include list mylist Device(config)# end
Additional References for VLAN RADIUS Attributes in Access Requests
Related Documents
Standards and RFCs
Standard/RFC |
Title |
---|---|
RFC 2868 |
RADIUS Attributes for Tunnel Protocol Support |
RFC 2869 |
RADIUS Extensions |
RFC 4675 |
RADIUS Attributes for Virtual LAN and Priority Support |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for VLAN RADIUS Attributes in Access Requests
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
VLAN RADIUS Attributes in Access Requests |
Cisco IOS XE 3.7E Cisco IOS XE Release 3.6E |
The VLAN RADIUS Attributes in Access Requests feature enhances the security for access switches with the use of VLAN RADIUS attributes (VLAN name and ID) in the access requests and with an extended VLAN name length of 128 characters. In Cisco IOS XE Release 3.6E, this feature is supported on Cisco Catalyst 3850 Series Switches. The following commands were introduced or modified: access-session attributes filter-list list, access-session accounting attributes filter-spec include list, and access-session authentication attributes filter-spec include list. |