cancel
Showing results for 
Search instead for 
Did you mean: 

Dynamic Vlans

SOLVED
Kamran_
Contributor

Dynamic Vlans

Hi all

what are dynamic vlans?? Is IC4000 support dynamic vlan assignment?? If yes then how??

1 ACCEPTED SOLUTION

Accepted Solutions
Stanislas_
New Contributor

Re: Dynamic Vlans

Hi,

You need to configure switch port as 802.1x enabled.

domain default enable testlab-domain
#
dot1x
dot1x retry 10
dot1x timer handshake-period 1024
dot1x retry-version-max 10
dot1x dhcp-launch
dot1x authentication-method eap
#
radius scheme system
radius scheme testlab-scheme
server-type extended
primary authentication xxx.xxx.xxx.xxx (IC IP)
accounting optional
key authentication "Radius_secret"
nas-ip xxx.xxx.xxx.xxx (local IP)

#
domain system
domain testlab-domain
scheme radius-scheme testlab-scheme
authentication radius-scheme testlab-scheme
vlan-assignment-mode string


On Infranet Controler:

In "UAC / Network Access / Location Group" Tab, Create a location Group to send different VLAN based on Switch IP location
In "UAC / Network Access / RADIUS Client" Tab, Create a Client for each Switch and assign it to one location Group
In "UAC / Network Access / RADIUS Attribute" configuration, you create different policies based on Roles and Location Groups. each policy is configured to assign different VLAN in RADIUS Attribute section.

Regards,

Stanislas

View solution in original post

7 REPLIES 7
ManojReddy_
Contributor

Re: Dynamic Vlans

Hi,

Usually without 802.1x inplace in the network, admin would configure a VLAN-ID on a switch port statistically. If a PC is connected to that particular switch port, it will be part of the configured VLAN.

With 802.1X and dynamic VLANs, switch will authenticate the user who is connecting to the port with a RADIUS server and RADIUS server returns(to the switch) the VLAN-ID that has to be configured on the port based on user identity. this capability of switch accepting VLAN-IDs from RADIUS server is nothing but "dynamic VLAN' support on switch.

on the RADIUS Server(Infranet Controller in your case) you can configure radius attribute policy to send VLAN-ID back to the switch when a user authenticates.

thanks

Manoj

Kamran_
Contributor

Re: Dynamic Vlans

hi

sir i m facing problem in configuring 3com 5500 switch, its a layer 3 supporting switch but i cant find any dynamic Vlan support or configuration....what configuration is required on switch regarding dynamic Vlans..??? plz give mention step by step.

Regards

Raja

gdavies_
Occasional Contributor

Re: Dynamic Vlans

Hi Raja,

You appear to be asking on a Juniper Networks forum how to configure a 3Com switch ;-) You may get lucky and find someone with that knowledge here but you might find that the 3Com documentation would be a better place to search.

From the IC side, there are some fairly standardised ways of expressing dynamic VLANs that many vendors now use (including Juniper in the EX series switches).

For each user in the user database (or for groups, to which each user belongs), you need to define three attributes.

Attribute-Name Attribute-Number Attribute-Type

Tunnel-Type 64 Integer

Tunnel-Medium-Type 65 Integer

Tunnel-Private-Group-Id 81 String

Tunnel-Type always equals 13 (VLAN)

Tunnel-Medium-Type always equals 6 (802)

Tunnel-Private-Group-Id is the identifier of the VLAN to which the user should be assigned.

I hope that helps you with setting up the IC. It might also help you find the right info for the 3Com switch.

Rgds,

Guy

Stanislas_
New Contributor

Re: Dynamic Vlans

Hi,

You need to configure switch port as 802.1x enabled.

domain default enable testlab-domain
#
dot1x
dot1x retry 10
dot1x timer handshake-period 1024
dot1x retry-version-max 10
dot1x dhcp-launch
dot1x authentication-method eap
#
radius scheme system
radius scheme testlab-scheme
server-type extended
primary authentication xxx.xxx.xxx.xxx (IC IP)
accounting optional
key authentication "Radius_secret"
nas-ip xxx.xxx.xxx.xxx (local IP)

#
domain system
domain testlab-domain
scheme radius-scheme testlab-scheme
authentication radius-scheme testlab-scheme
vlan-assignment-mode string


On Infranet Controler:

In "UAC / Network Access / Location Group" Tab, Create a location Group to send different VLAN based on Switch IP location
In "UAC / Network Access / RADIUS Client" Tab, Create a Client for each Switch and assign it to one location Group
In "UAC / Network Access / RADIUS Attribute" configuration, you create different policies based on Roles and Location Groups. each policy is configured to assign different VLAN in RADIUS Attribute section.

Regards,

Stanislas

View solution in original post

Kamran_
Contributor

Re: Dynamic Vlans

Thanks alot to all of you for your great help

Now i have 802.1x setup with certificates (Computer) and dynamic VLAN assignment by Microsoft IAS(radius).

Now here comes IC4000 in picture, i wanna replace IAS (radius) with IC4000 builtin SBR instance.

Will it work fine and meet all requirements of 802.1x and dynamically VLAN assignment..???

what steps i need to configure IC4000 as Radius server..???

Thanks again in advance

Raja M Kamran

System Administrator

[email protected]

923223932963

Azaben_
Occasional Contributor

Re: Dynamic Vlans

Hi All,

 

I apply the below commands to enable the 802.1x authentication on 3com 5500 switch and i recieve many errors on that, can anyone let me know what is wrong with the commands, or provide me with working commands to enable the 802.1x authentication with the IC4500

domain default enable alzamildomain
 port-security enable

 dot1x authentication-method eap
 undo dot1x handshake enable

 

radius scheme CUST
 server-type extended
 primary authentication 172.16.2.1

 primary accounting 172.16.2.1
 accounting optional
 key authentication Password.
 key accounting Password.

user-name-format without-domain

nas-ip 172.16.50.1
 calling-station-id mode mode2 uppercase

domain CUST
 scheme radius-scheme CUST
 accounting radius-scheme CUST
 vlan-assignment-mode vlan-list

interface Ethernet1/0/1

poe enable
 stp edged-port enable
 port link-type hybrid
 port hybrid vlan 3 untagged
 undo port hybrid vlan 1
 port hybrid pvid vlan 3
 broadcast-suppression pps 3000
 port-security max-mac-count 1
 port-security port-mode userlogin-secure-or-mac
 port-security guest-vlan 240
 dot1x max-user 1 ,,,,,,,,,,,,,,,,,,,,,,,, i receive errors here " Port Ethernet1/0/21 has set port-mode for port-security, can not support this operation."

 port access vlan 121

undo jumboframe enable

dot1x port-method portbased

dot1x guest-vlan 240

dot1x

dot1x re-authenticate

apply qos-profile default

 

 

Thanks in advanced.

Stanislas P_
Contributor

Re: Dynamic Vlans

Hi,

 

the error explain that you can't configure dot1x max-count if port-security is enabled!

 

in your configuration, disable the following configuration:

port-security port-mode userlogin-secure-or-mac 

 

Regards,

 

Stanislas