One action we take with 802.1x is the assignment of VLANs. This can be a bit confusing, as students aren’t always sure which VLAN to use. This post discusses the five types of VLAN assignments in 802.1x and when to use them. While each network is different and the design goals of an IT organization will dictate which assignments should be applied and where, this article aims to give you a better idea of what the VLAN assignments are used for. The following table overviews the VLAN types:
|VLAN Name||How It’s Assigned|
|Assigned VLAN||Dynamically By ISE|
|Guest VLAN||When not supplicant if detected and not using MAB|
|Restricted VLAN||When supplicant fails authentication|
|Default VLAN||Configured on the port & assigned when authentication is successful and no VLAN is defined|
|Critical VLAN||Used when authentication server is unavailable|
Let’s go into more detail on these VLAN types.
The authentication server, most likely in our case being Cisco ISE, assigns the VLAN using an access-accept RADIUS message. There are cases where we want to send a VLAN when rejecting authorization as well, and this is also possible. Whatever VLAN you assign still needs to exist on the switch. In Cisco ISE this VLAN is configured in an Authorization Profile, as seen in the figure below.
When a port is configured for 802.1x, a user that does not have an 802.1x client will normally be denied access. When you configure a Guest VLAN on the port and the switch doesn’t see EAPOL packets or when the client doesn’t respond to the EAP request or an identity frame from ISE, the user can still be given some form of access as allowed by the Guest VLAN. The configuration of the Guest VLAN varies depending on the use of Cisco IOS or IOS XE. Refer to the Cisco documentation for your specific version of switch for configuration details.
A Restricted VLAN is used as an authentication failed VLAN. It too can provide limited access, just like a Guest VLAN, however this VLAN is used when a client exists. In other words, assume that a guest comes on the network who is using 802.1x in their home network. They have a supplicant that can send EAPOL packets and it will respond to the switch. The problem they run into is that they will fail authentication. This is why a restricted VLAN is helpful. Restricted VLAN can provide them similar access to that of a Guest VLAN. The configuration of the Restricted VLAN varies depending on the use of Cisco IOS or IOS XE. Refer to the Cisco documentation for your specific version of switch for configuration details.
The Default VLAN is the VLAN that is configured on the port. If no VLAN is assigned by Cisco ISE then this VLAN will be used, unless a Guest or Restricted VLAN is used. The default VLAN is configured with the command switchport access vlan xx .
Note that if no VLAN is defined on the switch then VLAN 1 is the default VLAN.
A Critical VLAN is also configured on the switch. This VLAN is used when the authentication server, Cisco ISE, is unavailable. The configuration of the Critical VLAN may vary depending on the use of Cisco IOS or IOS XE. Refer to the Cisco documentation for your specific version of switch for configuration details.