>>Никак не разберусь, в каких случаях порт на коммутаторе попадает в access >>VLAN, который назначен на нём, а в каких в VLAN, который >>прописан на RADIUS-сервере? > >в гайде есть подробный алготитм > >Using 802.1x with VLAN Assignment > >The switch supports 802.1x with VLAN assignment. After successful 802.1x authentication of >a port, >the RADIUS server sends the VLAN assignment to configure the switch port. >The RADIUS server >database maintains the username-to-VLAN mappings, which assigns the VLAN based on the >username >of the client connected to the switch port. You can use this >feature to limit network access for certain >users. >When configured on the switch and the RADIUS server, 802.1x with VLAN >assignment has these >characteristics: >• If no VLAN is supplied by the RADIUS server or if >802.1x authorization is disabled, the port is >configured in its access VLAN after successful authentication. >• If 802.1x authorization is enabled but the VLAN information from the >RADIUS server is not valid, >the port returns to the unauthorized state and remains in the configured >access VLAN. This prevents >ports from appearing unexpectedly in an inappropriate VLAN because of a configuration >error. >Configuration errors could include specifying a VLAN for a routed port, a >malformed VLAN ID, a >nonexistent or internal (routed port) VLAN ID, or an attempted assignment to >a voice VLAN ID. >• If 802.1x authorization is enabled and all information from the RADIUS >server is valid, the port is >placed in the specified VLAN after authentication. >• If the multiple-hosts mode is enabled on an 802.1x port, all >hosts are placed in the same VLAN >(specified by the RADIUS server) as the first authenticated host. >• If 802.1x and port security are enabled on a port, the >port is placed in RADIUS server assigned >VLAN. >• If 802.1x is disabled on the port, it is returned to >the configured access VLAN. >When the port is in the force authorized, force unauthorized, unauthorized, or >shutdown state, it is put >into the configured access VLAN. >If an 802.1x port is authenticated and put in the RADIUS server >assigned VLAN, any change to the port >access VLAN configuration does not take effect. Это не подробный алгоритм, а какие-то плохо структурированные куски. Вот с этим-то как раз и не разберусь.
|