Device Security 101Much of the configuration to assign hosts to a particular VLAN takes place on the RADIUS server or802.1X authenticator. If you use an external RADIUS server to manage VLANs, you configure the serverto use Tunnel attributes in Access-Accept messages in order to inform the switch about the selectedVLAN. These attributes are defined in RFC 2868, and their use for dynamic VLAN is specified in RFC3580.The VLAN attributes defined in RFC3580 are as follows:• Tunnel-Type=VLAN (13)• Tunnel-Medium-Type=802• Tunnel-Private-Group-ID=VLANIDVLANID is 12-bits and has a value between 1 and 4093.Guest VLANThe Guest VLAN feature allows a switch to provide a distinguished service to unauthenticated users.This feature provides a mechanism to allow visitors and contractors to have network access to reachexternal network with no ability to browse information on the internal LAN.In port-based 802.1X mode, when a client that does not support 802.1X is connected to an unauthorizedport that is 802.1X-enabled, the client does not respond to the 802.1X requests from the switch.Therefore, the port remains in the unauthorized state, and the client is not granted access to thenetwork. If a guest VLAN is configured for that port, then the port is placed in the configured guestVLAN and the port is moved to the authorized state, allowing access to the client. However, if the port isin MAC-based 802.1X authentication mode, it will not move to the authorized state. MAC-based modemakes it possible for both authenticated and guest clients to use the same port at the same time.Client devices that are 802.1X-supplicant-enabled authenticate with the switch when they are pluggedinto the 802.1X-enabled switch port. The switch verifies the credentials of the client by communicatingwith an authentication server. If the credentials are verified, the authentication server informs the switchto 'unblock' the switch port and allows the client unrestricted access to the network; i.e., the client is amember of an internal VLAN.Beginning with software release 2.1, Guest VLAN Supplicant mode is configured on a per-port basis. If aclient does not attempt authentication on a port and the port is configured for Guest VLAN, the client isassigned to the guest VLAN configured on that port. The port is assigned a Guest VLAN ID and ismoved to the authorized status. Disabling the supplicant mode does not clear the ports that are alreadyauthorized and assigned Guest VLAN IDs.CLI ExamplesThe following examples show how to configure the switch to accept RADIUS-assigned VLANs and GuestVLANs. The examples assume that the RADIUS server and VLAN information has already beenconfigured on the switch. For information about how to configure VLANs, see "Virtual LANs" onpage 25.