Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

How to Configure Dynamic VLAN Assignment for Colorless Ports

 
Summary

You can configure an EX Series switch and a Network Access Control (NAC) server to profile endpoints in the authentication process and use the device profiling information to determine access policy and VLAN assignment.

Dynamic VLAN Assignment for Colorless Ports

Enterprises typically have a variety of users and endpoints, which results in multiple use cases that need to be addressed by their policy infrastructure. The policy infrastructure should enable any device we can use to connect to any port in the access switch and to be authenticated based on the capabilities of the device, the authorization level of the user, or both.

Colorless ports allow any device we can use to connect to any port because they all have the same configuration. The colorless port concept relies on device profiling for VLAN assignment. Based on the type of the device that is connected to the port (AP, IP camera, or printer), the NAC server will return the appropriate VLAN using RADIUS attributes.

Benefits of Dynamic VLAN Assignment for Colorless Ports

  • Allow any device to be connected to any port on an access switch.

  • Deploy consistent security policies across the enterprise.

Overview

When 802.1X authentication is enabled on a port, the switch (known as the authenticator) blocks all traffic to and from the end device (known as a supplicant) until the supplicant’s credentials are presented and matched on an NAC server. The NAC server is typically a RADIUS server or a policy manager that acts as a RADIUS server. After the supplicant is authenticated, the switch opens the port to the supplicant.

As part of the authentication process, a RADIUS server can return IETF-defined attributes that provide VLAN assignments to the switch. You can configure a policy manager to pass different RADIUS attributes back to the switch based on the endpoint access policy. The switch dynamically changes the VLAN assigned to the port according to the RADIUS attributes it receives.

Egress-VLAN attributes

To support both access and trunk ports as colorless ports, the RADIUS attribute must indicate if the frames on the VLAN for this port are to be represented in tagged or untagged format. The following attributes are supported for dynamically assigning a VLAN and also specifying the frame format:

  • Egress-VLAN-ID

  • Egress-VLAN-Name

The Egress-VLAN-ID or Egress-VLAN-Name attribute contains two parts; the first part indicates if frames on the VLAN for this port are to be represented in tagged or untagged format, the second part is the VLAN name.

For Egress-VLAN-ID:

  • 0x31 = tagged

  • 0x32 = untagged

For example, the following RADIUS profile includes one tagged and one untagged VLAN:

For Egress-VLAN-Name:

  • 1 = tagged

  • 2 = untagged

In the example below, VLAN 1vlan-2 is tagged, and VLAN 2vlan-3 is untagged:

Note

It is mandatory to include the Tunnel-Type and Tunnel-Medium-Type attributes in the profile with Egress-VLAN-ID or Egress-VLAN-Name.

When the switch receives a VLAN assignment with "Egress-VLAN-ID," it checks if the VLAN is already present in the system. If not, it creates the dynamic VLAN. If the Egress-VLAN-Name is used, the VLAN should be already in the system.

Supplicant mode attributes

RADIUS attributes can also be used to change the supplicant mode for 802.1X authentication. Using a Juniper Networks vendor-specific attribute (VSA), you can set the supplicant mode to either single or single-secure:

  • Juniper-AV-Pair = Supplicant-Mode-Single

  • Juniper-AV-Pair = Supplicant-Mode-Single-Secure

When these attributes are received from the NAC server, the configured supplicant mode will be changed to match the VSA value after the session is authenticated. When the session ends, the supplicant mode reverts to the mode that was configured on the system before receiving the VSA from the NAC server.

Configuring Dynamic VLAN Assignment for Colorless Ports

This configuration example shows how to configure a switch and NAC server to profile endpoints in the 802.1X authentication process and use their device profiling information to determine access policy. In this example, an organization has four types of endpoints for which it has defined access policies:

  • Access points—Access points are allowed access to the network and are dynamically assigned to the AP_VLAN VLAN.

  • IP phones—IP phones are allowed access to the network. The IPPhone_VLAN is dynamically assigned as the VoIP VLAN.

  • Corporate laptops—Endpoints that have an 802.1X supplicant are authenticated by the user credentials. After the user is successfully authenticated, the laptop is granted access to the network and placed in the Employee_VLAN VLAN.

  • Camera /IOT Devices—Camera and IOT devices with or without 802.1x supplicants can be added to the network and granted access to the Camera_IOT_VLAN VLAN.

  • Noncorporate laptops/Tablets—Endpoints that do not have an 802.1X supplicant and that are profiled as non-corporate devices are provided only internet access.

Table 1: Access Policies Details

Access Policies

Wired

Wireless

Authorization

AP VLAN

130 (NATIVE)

ALLOWED VLAN = 121,131,151,102

-

Employee

150

151

Access all

IOT Camera

111

112

DHCP, NTP, and NVR

IP-Phone

120

121

Between phones and call manager server

Remediation

101

102

Quarantine

To implement the endpoint access policies, the policy infrastructure is configured as follows:

  • All access interfaces on the switch are initially configured in VLAN 100, which serves as a remediation VLAN. If an endpoint is not successfully authenticated or is not successfully profiled as one of the supported endpoints, it remains in the remediation VLAN.

  • Endpoints that have an 802.1X supplicant are authenticated by using 802.1X PEAP authentication. For more information on 802.1X PEAP authentication, see Configuring 802.1X PEAP and MAC RADIUS Authentication with EX Series Switches and Aruba ClearPass Policy Manager  .

  • Endpoints that do not have an 802.1X supplicant are authenticated using MAC RADIUS authentication and are profiled to determine what type of device they are. These endpoints undergo a two-step authentication process:

    1. The first step occurs after an endpoint first connects to the switch but before it has been profiled by the NAC. After it connects, the endpoint is authenticated using MAC RADIUS authentication. The NAC applies an enforcement policy that instructs the switch to grant the endpoint access to the Internet but prevents it from accessing the internal network.

    2. The second step occurs after an endpoint has been successfully profiled. After being authenticated in the first step, the endpoint contacts a DHCP server to request an IP address. The switch relays the DHCP messages sent by the endpoint to the DHCP server to the NAC server as well, which allows the NAC to profile the endpoint. After it has profiled the endpoint and added the endpoint to its endpoint repository, the NAC server sends a RADIUS Change of Authorization (CoA) message to the switch to terminate the session. The switch then attempts reauthentication on behalf of the endpoint. Because the endpoint now exists in the endpoint repository, the NAC server applies an enforcement policy appropriate to the device type when it authenticates the endpoint. For example, if the endpoint is an access point, the NAC server applies the enforcement policy that dynamically assigns the access point to the AP_VLAN VLAN.

To configure the EX switch:

  1. Provide the RADIUS server connection information.
  2. Configure the access profile.
  3. Configure the interfaces ranges AUTHC and AP.
  4. Configure 802.1X to use ACCESS_PROF_RADIUS and enable the protocol on each access interface. In addition, configure the interfaces to support MAC RADIUS authentication and to allow more than one supplicant, each of which must be individually authenticated.

    By default, the switch will first attempt 802.1X authentication. If it receives no EAP packets from the endpoint, indicating that the endpoint does not have an 802.1X supplicant, it then tries MAC RADIUS authentication.

  5. Configure the VLANs used in this example.
  6. Configure DHCP relay to forward DHCP request packets to the authentication server.

The general steps for configuring the NAC server are:

  • Verify the Juniper-AV-Pair attribute exists in your RADIUS dictionary.

  • Add the EX switch as a network device.

  • Ensure that the server certificate used for 802.1X PEAP authentication has been installed.

  • Add the local user used in this example for 802.1X authentication.

  • Create the following enforcement profiles:

    • VLAN 150 ENF PROF that places endpoints in VLAN 150.

    • JUNIPER VOIP VLAN 120 ENF PROF that defines VLAN 120 as the VoIP VLAN.

    • VLAN 130 ENF PROF that places endpoints in VLAN 130.

    • Internet_Only_Access_Filter_ID_ENF_Prof that specifies the firewall filter Internet_Only_Access be used for devices that have not yet been profiled.

  • Create two enforcement policies:

    • A policy that is invoked when MAC RADIUS authentication is used.

    • A policy that is invoked when 802.1X authentication is used.

  • Define the MAC RADIUS authentication service and the 802.1X authentication service.

  • Ensure that the MAC RADIUS authentication service is evaluated before the 802.1X authentication service.

For more information about configuring dynamic VLANs on your RADIUS server, see the documentation for your RADIUS server.