Hi,

Usually without 802.1x inplace in the network, admin would configure a VLAN-ID on a switch port statistically. If a PC is connected to that particular switch port, it will be part of the configured VLAN.

With 802.1X and dynamic VLANs, switch will authenticate the user who is connecting to the port with a RADIUS server and RADIUS server returns(to the switch) the VLAN-ID that has to be configured on the port based on user identity. this capability of switch accepting VLAN-IDs from RADIUS server is nothing but "dynamic VLAN' support on switch.

on the RADIUS Server(Infranet Controller in your case) you can configure radius attribute policy to send VLAN-ID back to the switch when a user authenticates.

thanks

Manoj

hi

sir i m facing problem in configuring 3com 5500 switch, its a layer 3 supporting switch but i cant find any dynamic Vlan support or configuration....what configuration is required on switch regarding dynamic Vlans..??? plz give mention step by step.

Regards

Raja

Hi Raja,

You appear to be asking on a Juniper Networks forum how to configure a 3Com switch ;-) You may get lucky and find someone with that knowledge here but you might find that the 3Com documentation would be a better place to search.

From the IC side, there are some fairly standardised ways of expressing dynamic VLANs that many vendors now use (including Juniper in the EX series switches).

For each user in the user database (or for groups, to which each user belongs), you need to define three attributes.

Attribute-Name Attribute-Number Attribute-Type

Tunnel-Type 64 Integer

Tunnel-Medium-Type 65 Integer

Tunnel-Private-Group-Id 81 String

Tunnel-Type always equals 13 (VLAN)

Tunnel-Medium-Type always equals 6 (802)

Tunnel-Private-Group-Id is the identifier of the VLAN to which the user should be assigned.

I hope that helps you with setting up the IC. It might also help you find the right info for the 3Com switch.

Rgds,

Guy

Thanks alot to all of you for your great help

Now i have 802.1x setup with certificates (Computer) and dynamic VLAN assignment by Microsoft IAS(radius).

Now here comes IC4000 in picture, i wanna replace IAS (radius) with IC4000 builtin SBR instance.

Will it work fine and meet all requirements of 802.1x and dynamically VLAN assignment..???

what steps i need to configure IC4000 as Radius server..???

Thanks again in advance

Raja M Kamran

System Administrator

[email protected]

923223932963

Hi All,

I apply the below commands to enable the 802.1x authentication on 3com 5500 switch and i recieve many errors on that, can anyone let me know what is wrong with the commands, or provide me with working commands to enable the 802.1x authentication with the IC4500

domain default enable alzamildomain
 port-security enable

 dot1x authentication-method eap
 undo dot1x handshake enable

radius scheme CUST
 server-type extended
 primary authentication 172.16.2.1

 primary accounting 172.16.2.1
 accounting optional
 key authentication Password.
 key accounting Password.

user-name-format without-domain

nas-ip 172.16.50.1
 calling-station-id mode mode2 uppercase

domain CUST
 scheme radius-scheme CUST
 accounting radius-scheme CUST
 vlan-assignment-mode vlan-list

interface Ethernet1/0/1

poe enable
 stp edged-port enable
 port link-type hybrid
 port hybrid vlan 3 untagged
 undo port hybrid vlan 1
 port hybrid pvid vlan 3
 broadcast-suppression pps 3000
 port-security max-mac-count 1
 port-security port-mode userlogin-secure-or-mac
 port-security guest-vlan 240
 dot1x max-user 1 ,,,,,,,,,,,,,,,,,,,,,,,, i receive errors here " Port Ethernet1/0/21 has set port-mode for port-security, can not support this operation."

 port access vlan 121

undo jumboframe enable

dot1x port-method portbased

dot1x guest-vlan 240

dot1x

dot1x re-authenticate

apply qos-profile default

Thanks in advanced.

Hi,

the error explain that you can't configure dot1x max-count if port-security is enabled!

in your configuration, disable the following configuration:

port-security port-mode userlogin-secure-or-mac 

Regards,

Stanislas