WeOSDynamic VLAN Assignment with 802.1X HowTo
Introduction
This document describes how dynamic VLAN assignment can be configured for 802.1X authentication. For an overview of all available configuration settings for Port Access Control, refer to the configuration section in the Port Access Control Guide.
Overview
This is a simplified example designed to provide a clear, basic demonstration of what needs to be configured on the WeOS device to get VLAN assignment working with port access control using 802.1X. The focus is on understanding the core configuration concepts rather than necessarily providing a complete, production-ready deployment. Real-world implementations may require additional security considerations, redundancy, and more complex network topologies.
For this use case example the following topology, or similar, is considered:
Authentication
Server Supplicant-1 -> VLAN 10
.------. Supplicant-2 -> VLAN 20
|RADIUS| Supplicant-3 -> VLAN 30
'--+---' Supplicant-4 -> VLAN 40
| 10.0.1.2
| VLAN 1
|
| | | | |
.--.-. .--.-. | .--.-. .--.-.
( ( )__ ( ( )__ | ( ( )__ ( ( )__
(_, \ ) ,_) (_, \ ) ,_) | (_, \ ) ,_) (_, \ ) ,_)
'-'--`--' '-'--`--' | '-'--`--' '-'--`--'
| | | | |
| 20.0.0.0/24 | | | 40.0.0.0/24 |
| VLAN 20 | | VLAN 1 | VLAN 40 |
| | | 10.0.1.1 | |
| 10.0.0.0/24 .-+----------+-----------+-. 30.0.0.0/24 |
| VLAN 10 | 6 5 4 | VLAN 30 |
'-------------+ 7 WeOS 3 +-------------'
| 1 2 |
'----+----------------+----'
X Start in X <== Controlled Ports
| VLAN 1 | (All Blocked by
| | Authenticator)
.--+-. .-+--.
00:11:22:33:44:55 | H1 | | H2 | 00:aa:bb:cc:dd:ee
'----' '----'
Supplicant-1 Supplicant-3
Supplicant-2 Supplicant-4
Figure 1: A basic setup of port access control using 802.1X. It presents two different hosts H1 and H2, that can have two different supplicants each that should place the ports eth1 and eth2 in different VLANs on the authenticator WeOS device, based on the supplicant used on the host.
Port names
The port numbers as presented in Figure 1 will be referred to as eth1-eth7 in the configuration examples below, i.e. 1 -> eth1, 2 -> eth2, etc.
With this example setup the goal is to have the ports, connected to the hosts, on the WeOS device be assigned dynamically to different VLANs based on the supplicant that connects. For example, if Supplicant-1 connects to the port, the port should be assigned to VLAN 10, but if Supplicant-2 connects to the same port, the port should be assigned to VLAN 20. The same applies for Supplicant-3 and Supplicant-4, but with VLANs 30 and 40 respectively.
In this case it is assumed that whatever RADIUS server that is used to process the authentication requests from the WeOS device is configured to return the correct VLAN assignment information for each supplicant. The RADIUS server must therefore be configured to supply the following, in addition to everything else that is required for the authentication to succeed:
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = [numeric VLAN tag, e.g. 10, 20, 30, 40]
It is this Tunnel information that is used by the WeOS device to determine which VLAN to assign the port to when a successful authentication occurs.
Only Assignable Untagged
As described in the VLAN Assignment section in the Port Access Control Guide, ports can only be assigned untagged to VLANs when doing dynamic VLAN assignment. Further, this also means that a port can only ever be assigned to one VLAN at a time when doing dynamic VLAN assignment. Additionally, this means that it is the first authenticated client that determines which VLAN the port is assigned.
Configuration
The first thing to do is to configure the base VLAN vlan1 and its associated interface. As mentioned in the topology description, the ports that face the hosts (eth1 and eth2) start in VLAN 1, and this is where they will be moved back to when the supplicants disconnect. In addition, the port on the WeOS device that faces the RADIUS server (eth5) is also in VLAN 1.
example:/#> config example:/config/#> vlan 1 example:/config/vlan-1/#> untagged eth1,eth2,eth5 example:/config/vlan-1/#> end example:/config/#> iface vlan1 example:/config/iface-vlan1/#> inet static 10.0.1.1/24 example:/config/iface-vlan1/inet-static-10.0.1.1/#> end example:/config/iface-vlan1/#> end example:/config/#>
The VLANs that are to be assigned dynamically must also be configured. Both so that there is a port providing access to each VLAN and because any VLAN to be assigned dynamically must exist on the device, these will not be created automatically when the RADIUS server returns the VLAN assignment information, for more information, see the section on assignable VLANs in the Port Access Control Guide.
example:/config/#> vlan 10 example:/config/vlan-10/#> untagged eth7 example:/config/vlan-10/#> end example:/config/#> vlan 20 example:/config/vlan-20/#> untagged eth6 example:/config/vlan-20/#> end example:/config/#> vlan 30 example:/config/vlan-30/#> untagged eth3 example:/config/vlan-30/#> end example:/config/#> vlan 40 example:/config/vlan-40/#> untagged eth4 example:/config/vlan-40/#> end example:/config/#> iface vlan10 example:/config/iface-vlan10/#> inet static 10.0.0.1/24 example:/config/iface-vlan10/inet-static-10.0.0.1/#> end example:/config/iface-vlan10/#> end example:/config/#> iface vlan20 example:/config/iface-vlan20/#> inet static 20.0.0.1/24 example:/config/iface-vlan20/inet-static-20.0.0.1/#> end example:/config/iface-vlan20/#> end example:/config/#> iface vlan30 example:/config/iface-vlan30/#> inet static 30.0.0.1/24 example:/config/iface-vlan30/inet-static-30.0.0.1/#> end example:/config/iface-vlan30/#> end example:/config/#> iface vlan40 example:/config/iface-vlan40/#> inet static 40.0.0.1/24 example:/config/iface-vlan40/inet-static-40.0.0.1/#> end example:/config/iface-vlan40/#> end example:/config/#>
Next, the RADIUS server definition to be used by the port access instance is configured. The RADIUS server is located at IP address 10.0.1.2 and uses the default RADIUS port (1812) in this example.
example:/config/#> aaa example:/config/aaa/#> remote-server 1 Creating new remote server 1 example:/config/aaa/remote-server-1/#> description MyRADIUS example:/config/aaa/remote-server-1/#> address 10.0.1.2 example:/config/aaa/remote-server-1/#> password TopS3cret example:/config/aaa/remote-server-1/#> end example:/config/aaa/#> end
Performance Consideration
For best performance, it is recommended to use IP address (rather than domain name) when defining the RADIUS server.
At this point the port access instance can be configured. The ports eth1 and eth2 are added as port access ports, and the 802.1X is enabled for the instance.
example:/config/#> port-access Creating new Port Access instance 1. example:/config/port-access-1/#> port eth1,eth2 example:/config/port-access-1/#> description "VLAN Assignment Example" example:/config/port-access-1/#> port-method mac-based example:/config/port-access-1/#> dot1x example:/config/port-access-1/dot1x/#> authentication-server 1 example:/config/port-access-1/dot1x/#> end example:/config/port-access-1/#>
Port Method
In this example the port method is explicitly set to mac-based, which is also
the default setting. In terms of VLAN assignment the behaviour should be the
same even if port-based is used as the port method. See Port
Method for more information about
port methods.
Finally the VLAN assignment is also enabled for the port access instance. It is enabled and the VLANs to allow are selected.
example:/config/port-access-1/#> vlan-assignment example:/config/port-access-1/vlan-assignment/#> allowed-vlans vlan10 vlan20 vlan30 vlan40 example:/config/port-access-1/vlan-assignment/#> end example:/config/port-access-1/#>
The allowed vlans can also be specified by their VID
The allowed VLANs can also be specified by their numeric VLAN tag, e.g. 10,
20, 30, 40 using the allowed-vid command instead of allowed-vlans.
They manipulate the exact same setting, and can be used interchangeably:
example:/config/port-access-1/vlan-assignment/#> allowed-vid 10 20 30 40
At this point the port access configuration should look something like:
example:/config/port-access-1/#> show Port Access General Settings Status : Enabled Description : (No description) Ports : eth1..eth2 Port Method : MAC Based 802.1X Settings Status : Enabled Authentication server : 1 Active authentication : 30 Seconds Re-authenticate : Disabled Quiet period : 10 Seconds MAC Authentication Settings Not configured. VLAN Assignment Settings Status : Enabled Allowed VIDs : 10 (vlan10), 20 (vlan20), 30 (vlan30), 40 (vlan40) Default VLAN : Disabled example:/config/port-access-1/#>
At this point the basic configuration is done, and the ports eth1 and eth2 should be able to authenticate and be assigned to the correct VLANs based on the supplicant used and the information returned from the RADIUS server. Therefore, exit the configuration context to apply the configuration.
example:/config/port-access-1/#> leave [*] System setup running... [*] System Ready... Configuration activated. Remember "copy run start" to save to flash (NVRAM). example:/#>
Using Separate Port Access Instances to Isolate Ports to Certain VLANs
In the example above a single port access instance was used for both ports eth1 and eth2, and it would be possible for both ports to be assigned to any of the VLANs 10, 20, 30 and 40 based on the supplicant used. If the goal is to isolate the ports so that eth1 can only be assigned to VLAN 10 and VLAN 20, and eth2 can only be assigned to VLAN 30 and VLAN 40, two separate port access instances can be used, one for each port, and the allowed VLANs can be configured separately for each instance.
In such a case the configuration of port access instance 1 for port eth1 would look something like this:
example:/config/#> port-access 1 Creating new Port Access instance 1. example:/config/port-access-1/#> port eth1 example:/config/port-access-1/#> description "Site A - Port 1" example:/config/port-access-1/#> port-method mac-based example:/config/port-access-1/#> dot1x example:/config/port-access-1/dot1x/#> authentication-server 1 example:/config/port-access-1/dot1x/#> end example:/config/port-access-1/#> vlan-assignment example:/config/port-access-1/vlan-assignment/#> allowed-vlans vlan10 vlan20 example:/config/port-access-1/vlan-assignment/#> end example:/config/port-access-1/#> end example:/config/#>
And the configuration of port access instance 2 for port eth2 would look something like this:
example:/config/#> port-access 2 Creating new Port Access instance 2. example:/config/port-access-2/#> port eth2 example:/config/port-access-2/#> description "Site A - Port 2" example:/config/port-access-2/#> port-method mac-based example:/config/port-access-2/#> dot1x example:/config/port-access-2/dot1x/#> authentication-server 1 example:/config/port-access-2/dot1x/#> end example:/config/port-access-2/#> vlan-assignment example:/config/port-access-2/vlan-assignment/#> allowed-vlans vlan30 vlan40 example:/config/port-access-2/vlan-assignment/#> end example:/config/port-access-2/#> end example:/config/#>
With these two separate port access instances, port eth1 can now only be assigned to VLAN 10 and VLAN 20, and port eth2 can only be assigned to VLAN 30 and VLAN 40, based on the supplicant used and the information returned from the RADIUS server. In this example only the port config and VLAN assignment settings are different between the two instances, but all the other settings can also be configured differently if needed, e.g. different authentication servers, different port methods, etc.
Status
This section demonstrates how to verify the port access and VLAN assignment status at different stages. The following examples show the output before any authentication takes place, after initial authentication with specific supplicants, and after the ports are reassigned to different VLANs when different supplicants connect.
Before Authentication
Before any supplicant has attempted to authenticate, the status of the port access instance should look something like this:
example:/#> show port-access Number of Port Access Instances: 1 Table Instance Dividers : Disabled ╒ 802.1X Authentications ════════════════════════════════════════════════════╕ │# MAC-ADDRESS SUPPLICANT PORT SERVER DATE-ADDED │ │No authenticated 802.1X clients found. │ └────────────────────────────────────────────────────────────────────────────┘ ╒ MAC Auth Authentications ══════════════════════════════════════════════════╕ │# MAC-ADDRESS PORT METHOD DATE-ADDED │ │No authenticated MAC addresses found. │ └────────────────────────────────────────────────────────────────────────────┘ ╒ Ports ═════════════════════════════════════════════════════════════════════╕ │PORT METHOD STATE AUTHENTICATED-MAC │ │eth1 MAC Based 0 Authentications - │ │eth2 MAC Based 0 Authentications - │ └────────────────────────────────────────────────────────────────────────────┘ ╒ VLAN Assignment ═══════════════════════════════════════════════════════════╕ │PORT ENABLED STATE FROM ASSIGNING-CLIENT VLAN │ │eth1 Yes Unassigned - - - │ │eth2 Yes Unassigned - - - │ └────────────────────────────────────────────────────────────────────────────┘ - Use 'show port-access audit' to display related events in the audit log. - Use 'show port-access INSTANCE' to show details for a specific instance. - Use 'port-access instance-dividers' to enable dividers between instances in the tables. example:/#>
In addition the ports eth1 and eth2 are in their starting VLAN (vlan1):
example:/#> show vlan example:/#> show vlan VID NAME TAGGED/UNTAGGED/POLICY NEST 1 vlan1 T: U:eth1..eth2, eth5 N: 10 vlan10 T: U:eth7 N: 20 vlan20 T: U:eth6 N: 30 vlan30 T: U:eth3 N: 40 vlan40 T: U:eth4 N: example:/#> example:/#> show port example:/#> show port PORT LINK TYPE SPEED STATE OWNER/VLAN eth1 Up N/A Unknown Forwarding vlan U:1 eth2 Up N/A Unknown Forwarding vlan U:1 eth3 Up N/A Unknown Forwarding vlan U:30 eth4 Up N/A Unknown Forwarding vlan U:40 eth5 Up N/A Unknown Forwarding vlan U:1 eth6 Up N/A Unknown Forwarding vlan U:20 eth7 Up N/A Unknown Forwarding vlan U:10 example:/#>
After Authentication
Now let’s assume that authentication is done with Supplicant-1 on host H1 and Supplicant-3 on host H2. The ports eth1 and eth2 should then be assigned to VLAN 10 and VLAN 30 respectively, and the status should look something like this:
example:/#> show port-access Number of Port Access Instances: 1 Table Instance Dividers : Disabled ╒ 802.1X Authentications ════════════════════════════════════════════════════╕ │# MAC-ADDRESS SUPPLICANT PORT SERVER DATE-ADDED │ │1 00:11:22:33:44:55 Supplicant-1 eth1 10.0.1.2 Mar 11 10:23:15│ │2 00:aa:bb:cc:dd:ee Supplicant-3 eth2 10.0.1.2 Mar 11 10:24:08│ └────────────────────────────────────────────────────────────────────────────┘ ╒ MAC Auth Authentications ══════════════════════════════════════════════════╕ │# MAC-ADDRESS PORT METHOD DATE-ADDED │ │No authenticated MAC addresses found. │ └────────────────────────────────────────────────────────────────────────────┘ ╒ Ports ═════════════════════════════════════════════════════════════════════╕ │PORT METHOD STATE AUTHENTICATED-MAC │ │eth1 MAC Based 1 Authentication 00:11:22:33:44:55 │ │eth2 MAC Based 1 Authentication 00:aa:bb:cc:dd:ee │ └────────────────────────────────────────────────────────────────────────────┘ ╒ VLAN Assignment ═══════════════════════════════════════════════════════════╕ │PORT ENABLED STATE FROM ASSIGNING-CLIENT VLAN │ │eth1 Yes Assigned Server 00:11:22:33:44:55 VID 10 (vlan10) │ │eth2 Yes Assigned Server 00:aa:bb:cc:dd:ee VID 30 (vlan30) │ └────────────────────────────────────────────────────────────────────────────┘ - Use 'show port-access audit' to display related events in the audit log. - Use 'show port-access INSTANCE' to show details for a specific instance. - Use 'port-access instance-dividers' to enable dividers between instances in the tables. example:/#>
The VLAN and port status should now also reflect the new VLAN assignment for the ports:
example:/#> show vlan VID NAME TAGGED/UNTAGGED/POLICY NEST 1 vlan1 T: U:eth5 N: 10 vlan10 T: U:eth1, eth7 N: 20 vlan20 T: U:eth6 N: 30 vlan30 T: U:eth2..eth3 N: 40 vlan40 T: U:eth4 N: example:/#> example:/#> show port PORT LINK TYPE SPEED STATE OWNER/VLAN eth1 Up N/A Unknown Forwarding vlan U:10 eth2 Up N/A Unknown Forwarding vlan U:30 eth3 Up N/A Unknown Forwarding vlan U:30 eth4 Up N/A Unknown Forwarding vlan U:40 eth5 Up N/A Unknown Forwarding vlan U:1 eth6 Up N/A Unknown Forwarding vlan U:20 eth7 Up N/A Unknown Forwarding vlan U:10 example:/#>
As you can see, eth1 has been dynamically assigned to VLAN 10 (vlan10) and eth2 has been assigned to VLAN 30 (vlan30) based on the authentication information received from the RADIUS server. The ports are now untagged members of their respective assigned VLANs instead of the initial VLAN 1.
Regarding Multiple Supplicants on the Same Port
At this point the port’s VLAN is more or less “locked” to the first authenticated supplicant for the given port. If any other supplicant would connect to the same port, it would have to request the same VLAN assignment to be able to authenticate successfully.
However, in the use case presented in Figure 1 multiple supplicants will not be present on the same port. But it is worth mentioning since this could be the case if there are multiple different hosts that could connect to the same port, e.g. if another switch is connected to the port and has multiple hosts behind it.
Ports eth1 and eth2 will now remain assigned to VLAN 10 and VLAN 30 respectively until the authenticated clients are deauthenticated, either by disconnecting the supplicant, when the port is brought down, etc. When this happens the ports will be moved back to their starting VLANs, in this use case it is VLAN 1.
Now let’s say that Supplicant-1 and Supplicant-3 have been deauthenticated, and then Supplicant-2 and Supplicant-4 connect to the ports eth1 and eth2 respectively. The ports should then be assigned to VLAN 20 and VLAN 40 respectively, and the status should look something like this:
example:/#> show port-access Number of Port Access Instances: 1 Table Instance Dividers : Disabled ╒ 802.1X Authentications ════════════════════════════════════════════════════╕ │# MAC-ADDRESS SUPPLICANT PORT SERVER DATE-ADDED │ │1 00:11:22:33:44:55 Supplicant-2 eth1 10.0.1.2 Mar 11 11:35:42│ │2 00:aa:bb:cc:dd:ee Supplicant-4 eth2 10.0.1.2 Mar 11 11:36:18│ └────────────────────────────────────────────────────────────────────────────┘ ╒ MAC Auth Authentications ══════════════════════════════════════════════════╕ │# MAC-ADDRESS PORT METHOD DATE-ADDED │ │No authenticated MAC addresses found. │ └────────────────────────────────────────────────────────────────────────────┘ ╒ Ports ═════════════════════════════════════════════════════════════════════╕ │PORT METHOD STATE AUTHENTICATED-MAC │ │eth1 MAC Based 1 Authentication 00:11:22:33:44:55 │ │eth2 MAC Based 1 Authentication 00:aa:bb:cc:dd:ee │ └────────────────────────────────────────────────────────────────────────────┘ ╒ VLAN Assignment ═══════════════════════════════════════════════════════════╕ │PORT ENABLED STATE FROM ASSIGNING-CLIENT VLAN │ │eth1 Yes Assigned Server 00:11:22:33:44:55 VID 20 (vlan20) │ │eth2 Yes Assigned Server 00:aa:bb:cc:dd:ee VID 40 (vlan40) │ └────────────────────────────────────────────────────────────────────────────┘ - Use 'show port-access audit' to display related events in the audit log. - Use 'show port-access INSTANCE' to show details for a specific instance. - Use 'port-access instance-dividers' to enable dividers between instances in the tables. example:/#>
The VLAN and port status should now reflect the new VLAN assignments:
example:/#> show vlan VID NAME TAGGED/UNTAGGED/POLICY NEST 1 vlan1 T: U:eth5 N: 10 vlan10 T: U:eth7 N: 20 vlan20 T: U:eth1, eth6 N: 30 vlan30 T: U:eth3 N: 40 vlan40 T: U:eth2, eth4 N: example:/#> example:/#> show port PORT LINK TYPE SPEED STATE OWNER/VLAN eth1 Up N/A Unknown Forwarding vlan U:20 eth2 Up N/A Unknown Forwarding vlan U:40 eth3 Up N/A Unknown Forwarding vlan U:30 eth4 Up N/A Unknown Forwarding vlan U:40 eth5 Up N/A Unknown Forwarding vlan U:1 eth6 Up N/A Unknown Forwarding vlan U:20 eth7 Up N/A Unknown Forwarding vlan U:10 example:/#>
As shown above, eth1 has been dynamically reassigned to VLAN 20 (vlan20) and eth2 has been reassigned to VLAN 40 (vlan40), demonstrating how the same ports can be dynamically moved between different VLANs based on which supplicant authenticates on the host.