Dynamic VLAN Assignment for Colorless Ports
Enterprises typically have a variety of users and endpoints, which results in multiple use cases that need to be addressed by their policy infrastructure. The policy infrastructure should enable any supported user device to connect to any port on the access switch and to be authenticated based on the capabilities of the device, the authorization level of the user, or both.
Colorless ports support attaching any device t to any switch port because they all have the same initial configuration. The initial configuration places devices on a default VLAN that is used to authenticate and then profile the device or user. The colorless port concept relies on device profiling for VLAN assignment. Based on the type of the device that is connected to the port (AP, IP camera, or printer), the NAC server returns the appropriate VLAN using RADIUS attributes.
Benefits of Dynamic VLAN Assignment for Colorless Ports
-
Allow any device to be connected to any port on an access switch.
-
Deploy consistent security policies across the enterprise.
Overview
When 802.1X authentication is enabled on a port, the switch (known as the authenticator) blocks all traffic to and from the end device (known as a supplicant) until the supplicant’s credentials are presented and matched on an NAC server. The NAC server is typically a RADIUS server or a policy manager that acts as a RADIUS server. After the supplicant is authenticated, the switch opens the port to the supplicant.
As part of the authentication process, a RADIUS server can return IETF-defined attributes that provide VLAN assignments to the switch. You can configure a policy manager to pass different RADIUS attributes back to the switch based on the endpoint access policy. The switch dynamically changes the VLAN assigned to the port according to the RADIUS attributes it receives.
Egress-VLAN attributes
To support both access and trunk ports as colorless ports, the RADIUS attribute must indicate if the frames on the VLAN for this port are to be represented in tagged or untagged format. The following attributes are supported for dynamically assigning a VLAN and also specifying the frame format:
-
Egress-VLAN-ID
-
Egress-VLAN-Name
The Egress-VLAN-ID or Egress-VLAN-Name attribute contains two parts; the first part indicates if frames on the VLAN for this port are to be represented in tagged or untagged format, the second part is the VLAN name.
For Egress-VLAN-ID:
-
0x31 = tagged
-
0x32 = untagged
For example, the following RADIUS profile includes one tagged and one untagged VLAN:
001094001177 Cleartext-Password := "001094001177“ Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Egress-VLANID += 0x3100033, Egress-VLANID += 0x3200034,
For Egress-VLAN-Name:
-
1 = tagged
-
2 = untagged
In the example below, VLAN 1vlan-2 is tagged, and VLAN 2vlan-3 is untagged:
001094001144 Cleartext-Password := "001094001144“ Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Egress-VLAN-Name += 1vlan-2, Egress-VLAN-Name += 2vlan-3,
It is mandatory to include the Tunnel-Type and Tunnel-Medium-Type attributes in the profile with Egress-VLAN-ID or Egress-VLAN-Name.
When the switch receives a VLAN assignment with "Egress-VLAN-ID," it checks if the VLAN is already present in the system. If not, it creates the dynamic VLAN. If the Egress-VLAN-Name is used, the VLAN should be already in the system.
Supplicant mode attributes
RADIUS attributes can also be used to change the supplicant mode for 802.1X authentication. Using a Juniper Networks vendor-specific attribute (VSA), you can set the supplicant mode to either single or single-secure:
-
Juniper-AV-Pair = Supplicant-Mode-Single
-
Juniper-AV-Pair = Supplicant-Mode-Single-Secure
When these attributes are received from the NAC server, the configured supplicant mode gets changed to match the VSA value after the session is authenticated. When the session ends, the supplicant mode reverts to the mode that was configured on the system before receiving the VSA from the NAC server. When a client receives the dynamic single supplicant attributes from the RADIUS server, it deletes all the other authenticated clients on that interface, effectively changing the interface mode from multiple to single supplicant.