Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Dynamic VLAN Assignment for Colorless Ports

Enterprises typically have a variety of users and endpoints, which results in multiple use cases that need to be addressed by their policy infrastructure. The policy infrastructure should enable any supported user device to connect to any port on the access switch and to be authenticated based on the capabilities of the device, the authorization level of the user, or both.

Colorless ports support attaching any device t to any switch port because they all have the same initial configuration. The initial configuration places devices on a default VLAN that is used to authenticate and then profile the device or user. The colorless port concept relies on device profiling for VLAN assignment. Based on the type of the device that is connected to the port (AP, IP camera, or printer), the NAC server returns the appropriate VLAN using RADIUS attributes.

Benefits of Dynamic VLAN Assignment for Colorless Ports

  • Allow any device to be connected to any port on an access switch.

  • Deploy consistent security policies across the enterprise.

Overview

When 802.1X authentication is enabled on a port, the switch (known as the authenticator) blocks all traffic to and from the end device (known as a supplicant) until the supplicant’s credentials are presented and matched on an NAC server. The NAC server is typically a RADIUS server or a policy manager that acts as a RADIUS server. After the supplicant is authenticated, the switch opens the port to the supplicant.

As part of the authentication process, a RADIUS server can return IETF-defined attributes that provide VLAN assignments to the switch. You can configure a policy manager to pass different RADIUS attributes back to the switch based on the endpoint access policy. The switch dynamically changes the VLAN assigned to the port according to the RADIUS attributes it receives.

Egress-VLAN attributes

To support both access and trunk ports as colorless ports, the RADIUS attribute must indicate if the frames on the VLAN for this port are to be represented in tagged or untagged format. The following attributes are supported for dynamically assigning a VLAN and also specifying the frame format:

  • Egress-VLAN-ID

  • Egress-VLAN-Name

The Egress-VLAN-ID or Egress-VLAN-Name attribute contains two parts; the first part indicates if frames on the VLAN for this port are to be represented in tagged or untagged format, the second part is the VLAN name.

For Egress-VLAN-ID:

  • 0x31 = tagged

  • 0x32 = untagged

For example, the following RADIUS profile includes one tagged and one untagged VLAN:

For Egress-VLAN-Name:

  • 1 = tagged

  • 2 = untagged

In the example below, VLAN 1vlan-2 is tagged, and VLAN 2vlan-3 is untagged:

Note:

It is mandatory to include the Tunnel-Type and Tunnel-Medium-Type attributes in the profile with Egress-VLAN-ID or Egress-VLAN-Name.

When the switch receives a VLAN assignment with "Egress-VLAN-ID," it checks if the VLAN is already present in the system. If not, it creates the dynamic VLAN. If the Egress-VLAN-Name is used, the VLAN should be already in the system.

Supplicant mode attributes

RADIUS attributes can also be used to change the supplicant mode for 802.1X authentication. Using a Juniper Networks vendor-specific attribute (VSA), you can set the supplicant mode to either single or single-secure:

  • Juniper-AV-Pair = Supplicant-Mode-Single

  • Juniper-AV-Pair = Supplicant-Mode-Single-Secure

When these attributes are received from the NAC server, the configured supplicant mode will be changed to match the VSA value after the session is authenticated. When the session ends, the supplicant mode reverts to the mode that was configured on the system before receiving the VSA from the NAC server.