VLAN Assignment 326
A added avant-garde anatomy of allotment is VLAN assignment.
VLAN appointment is accomplished with the adeptness of a arrangement to dynamically accredit a VLAN
to a client-connecting anchorage based on the affidavit process. Fundamentally, this ability
is based on the standards categorical in RFC 2868. By dynamically allotment VLAN values
to client-connecting ports based on the client’s accurate identity, the network
maintains the adeptness to accumulation users as per authoritative policy. This allows the angle of
groups and group-applicable action profiles to be agitated bottomward to the networking level. An
example of this would be if users in Accumulation A were accustomed complete access, while users
in Accumulation B were bound to accessing alone accessible assets and servers that held
nonconfidential information. Applying the adeptness to absolute admission by accident belief or levels
allows a arrangement ambassador to abbreviate all-embracing aegis acknowledgment and risk. Also, based
on the constant architectonics MAB promotes forth with 802.1X, both techniques can
automatically advantage any specialized action administration that are accessible to be deployed
with the aforementioned basal architecture.
No appropriate agreement on a about-face is bare to accomplish activating VLAN appointment with
802.1X or MAB. VLAN appointment is done by name with MAB, like it is with 802.1X.
This can abutment adjustable VLAN-management techniques for assorted Layer 2 or Layer 3
VTP architectures, which allows for adeptness amid abstracted Layer 2 domains. The
Summary 299
architecture additionally allows for behavior to be activated to groups or to a per-device level.
Depending on the appropriate need, either 802.1X accessories or MAB accessories can be managed on
a per-host basis.
Remember: On Cisco IOS-based switches, accomplish abiding you accredit AAA and specify the
authentication and allotment methods:
aaa new-model
aaa affidavit dot1x absence accumulation radius
aaa allotment arrangement absence accumulation radius
For an affidavit server, three accepted RADIUS attributes are required, as authentic by
RFC 2868:
[64] Tunnel-Type: “VLAN” (13)
[65] Tunnel-Medium-Type: “802” (6)
[81] Tunnel-Private-Group-ID: VLAN name
The capital allowances to dynamically allotment VLANs based on accurate character are to
apply accumulation aegis and admission policies.
These attributes can accredit any user associates of the accumulation configured for VLAN
assignment to be assigned. The VLAN (and name) charge be present on the about-face and be the
identical name of the agreement on the affidavit server. This includes white spaces
and capitalization. If any of these are not valid, a about-face denies authorization. A user might
provide a credential acceptance him to acquiesce admission to the arrangement on a VLAN.
However, if the about-face cannot verify the advice about the VLAN itself (through any
sort of VLAN name mismatch, typo, and so on), a about-face treats this as a user not providing
valid credentials.
By leveraging activating action enforcement, this completes the adeptness to differentiate
between 802.1X and 802.1X-clientless sessions on the network. Attaining avant-garde forms
of authorization, such as VLAN-Assignment, additionally increases the end-to-end appulse of IBNS
to accommodate admission control.
Summary
Through the use of IBNS technology, you can advance your arrangement aegis model. With
the accretion demands on today’s networks and the charge to allotment advice not only
within an organization, but with the alfresco world, security—along with arrangement access—
has become a top priority. Amount provided by IBNS includes befitting the outsiders out and
reducing abeyant arrangement attacks. This way, alone accustomed users can accretion network
access; crooked or anonymous users can be denied admission or accepted bedfellow access.
The IEEE 802.1X blueprint for port-based arrangement ascendancy has become the standard
method for Layer 2 affidavit access, not alone with wireless, but additionally with active ports.
802.1X is a amount technology basic in abutment of admission ascendancy to advance end-to-end
IBNS. One claiming in active topologies and IEEE 802.1X is how to abutment yesterday’s
300 Affiliate 17: Identity-Based Networking Services with 802.1X
cutting edge, which is now today’s legacy. Most bequest accessories (such as printers and VoIP
phones) and some arising accessories (such as IP aegis cameras) do not accept the ability
to abutment an 802.1X supplicant, but they charge be included in any common IBNS
architecture. MAB is not meant to alter 802.1X; instead, it is meant to acquiesce for an
alternate agency of affidavit back a host or accessory does not acknowledge to the network
access devices’ appeal for credentials. The IEEE 802.1X accepted and MAB allows for the
dynamic agreement of admission ports and implementing the accumulated aegis action on
the anchorage level. MAB addresses the adversity of deploying an 802.1X infrastructure
throughout a arrangement LAN. An 802.1X supplicant is appropriate to accredit to an
authentication server through a arrangement admission device. MAB allows accessories after this
802.1X adequacy to admission the arrangement and accomplish their adapted action while allowing
Layer 2 affidavit to action and participate in the activating deployment of network
policy.
The Guest-VLAN is additionally an advantage for accessories butterfingers of 802.1X. By accumulation MAB
and the Guest-VLAN, you can now differentiate amid clientless stations in abutment of
device-specific admission ascendancy as an appliance of IBNS. Also, the access-control methods
described in this affiliate accommodate assorted levels of user access, which makes it the first
element of arrangement security. Also, these admission levels can booty on added of a cast model,
with authoritative and bounded roles dictating area admission can be applied. Overall,
IBNS can advice abate all-embracing risk, add value, and abolish operational amount (while
promoting security) from your business because of its analytic arrangement overlay.
References
IEEE. IEEE P802.1X-REV/D11. Std for Local and Metropolitan Area Networks-Port-
Based Arrangement Admission Control. July 2004.
IETF. RFC 2868, “RADIUS Attributes for Tunnel Protocol Support.” July 2000.
IETF. RFC 3748, “Extensible Affidavit Protocol (EAP).” June 2004.
IETF. RFC 3579, “RADIUS (Remote Affidavit Dial In User Service) Abutment For
Extensible Affidavit Protocol (EAP).” September 2003.
IETF. RFC 3580, “IEEE 802.1X Remote Affidavit Dial In User Service (RADIUS)
Usage Guidelines.” September 2003.