https://community.extremenetworks.com/t5/faqs/background-about-rfc-3580-s-vlan-assignment-upon-802-1x/m-p/42536#M114 Article ID: 7312 <BR /> <BR /> <B>Protocols/Features</B><BR /> Radius<BR /> Tunnel <BR /> <BR /> <B>Standards</B><BR /> RFC 3580<BR /> RFC3580<BR /> 802.1x <BR /> <BR /> <B>Symptoms</B><BR /> "Tunnel-Type"<BR /> "Tunnel-Medium-Type"<BR /> "Tunnel-Private-Group-ID" <BR /> <BR /> <B>Cause</B><BR /> This article reproduces <I>only</I> the Abstract and Tunnel Attributes sections of <A href="http://www.ietf.org/rfc/rfc3580.txt" target="_blank" rel="nofollow noreferrer noopener">RFC3580</A>, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines". <BR /> <BR /> The rationale is to provide background regarding what a growing number of Enterasys products are now supporting: the ability to VLAN-assign a 802.1x Supplicant (user) at the time of Authentication (<A href="http://bit.ly/19LXsqz" target="_blank" rel="nofollow noreferrer noopener">5532</A>). This is implemented by means of the following Radius Tunnel Attributes: Tunnel-Type=13 (VLAN), Tunnel-Medium-Type=6 (802), Tunnel-Private-Group-ID=&lt;<I>VlanID</I>&gt;. <BR /> <BR /> Here is a list of these products as of June 14 2006:<UL> <LI>Matrix E1, firmware 3.05.09 and higher </LI><LI>Matrix N-Series (DFE), firmware 5.31.17 and higher </LI><LI>Matrix V2, firmware 2.5.1.1 and higher </LI><LI>RBT3K-xG (AP3000), firmware 2.1.1 and higher </LI><LI>SecureStack C2, firmware 3.02.30 and higher </LI><LI>SecureStack B2, firmware 1.01.25 and higher </LI><LI>SecureStack A2, firmware 1.01.20 and higher</LI></UL> To determine the degree of RFC 3580 support on a given hardware product, see that product's latest firmware release notes. <BR /> <BR /> <B>Solution<BR /> <BR /> </B>Abstract<BR /> <BR /> This document provides suggestions on Remote Authentication Dial In<BR /> User Service (RADIUS) usage by IEEE 802.1X Authenticators. The<BR /> material in this document is also included within a non-normative<BR /> Appendix within the IEEE 802.1X specification, and is being<BR /> presented as an IETF RFC for informational purposes.<BR /> <BR /> 3.31. Tunnel Attributes<BR /> <BR /> Reference [RFC2868] defines RADIUS tunnel attributes used for<BR /> authentication and authorization, and [RFC2867] defines tunnel<BR /> attributes used for accounting. Where the IEEE 802.1X Authenticator<BR /> supports tunneling, a compulsory tunnel may be set up for the<BR /> Supplicant as a result of the authentication.<BR /> <BR /> In particular, it may be desirable to allow a port to be placed<BR /> into a particular Virtual LAN (VLAN), defined in [IEEE8021Q], based<BR /> on the result of the authentication. This can be used, for example,<BR /> to allow a wireless host to remain on the same VLAN as it moves<BR /> within a campus network.<BR /> <BR /> The RADIUS server typically indicates the desired VLAN by including<BR /> tunnel attributes within the Access-Accept. However, the IEEE<BR /> 802.1X Authenticator may also provide a hint as to the VLAN to be<BR /> assigned to the Supplicant by including Tunnel attributes within<BR /> the Access-Request.<BR /> <BR /> For use in VLAN assignment, the following tunnel attributes are<BR /> used:<BR /> <BR /> Tunnel-Type=VLAN (13)<BR /> Tunnel-Medium-Type=802<BR /> Tunnel-Private-Group-ID=VLANID<BR /> <BR /> Note that the VLANID is 12-bits, taking a value between 1 and 4094,<BR /> inclusive. Since the Tunnel-Private-Group-ID is of type String as<BR /> defined in [RFC2868], for use with IEEE 802.1X, the VLANID integer<BR /> value is encoded as a string.<BR /> <BR /> When Tunnel attributes are sent, it is necessary to fill in the Tag<BR /> field. As noted in [RFC2868], section 3.1:<BR /> <BR /> The Tag field is one octet in length and is intended to <BR /> provide a means of grouping attributes in the same packet<BR /> which refer to the same tunnel. Valid values for this field<BR /> are 0x01 through 0x1F, inclusive. If the Tag field is unused,<BR /> it MUST be zero (0x00).<BR /> <BR /> For use with Tunnel-Client-Endpoint, Tunnel-Server-Endpoint,<BR /> Tunnel-Private-Group-ID, Tunnel-Assignment-ID, Tunnel-Client-Auth-<BR /> ID or Tunnel-Server-Auth-ID attributes (but not Tunnel-Type,<BR /> Tunnel-Medium-Type, Tunnel-Password, or Tunnel-Preference), a tag<BR /> field of greater than 0x1F is interpreted as the first octet of the<BR /> following field.<BR /> <BR /> Unless alternative tunnel types are provided, (e.g. for IEEE 802.1X<BR /> Authenticators that may support tunneling but not VLANs), it is<BR /> only necessary for tunnel attributes to specify a single tunnel. As<BR /> a result, where it is only desired to specify the VLANID, the tag<BR /> field SHOULD be set to zero (0x00) in all tunnel attributes. Where<BR /> alternative tunnel types are to be provided, tag values between<BR /> 0x01 and 0x1F SHOULD be chosen.<BR /> <BR /> See also: <A href="http://www.ietf.org/rfc/rfc2868.txt" target="_blank" rel="nofollow noreferrer noopener">RFC2868</A> and <A href="http://www.ietf.org/rfc/rfc2867.txt" target="_blank" rel="nofollow noreferrer noopener">RFC2867</A>.<BR /> Fri, 22 Nov 2013 08:32:00 GMT FAQ_User 2013-11-22T08:32:00Z https://community.extremenetworks.com/t5/faqs/background-about-rfc-3580-s-vlan-assignment-upon-802-1x/m-p/42536#M114 Article ID: 7312 <BR /> <BR /> <B>Protocols/Features</B><BR /> Radius<BR /> Tunnel <BR /> <BR /> <B>Standards</B><BR /> RFC 3580<BR /> RFC3580<BR /> 802.1x <BR /> <BR /> <B>Symptoms</B><BR /> "Tunnel-Type"<BR /> "Tunnel-Medium-Type"<BR /> "Tunnel-Private-Group-ID" <BR /> <BR /> <B>Cause</B><BR /> This article reproduces <I>only</I> the Abstract and Tunnel Attributes sections of <A href="http://www.ietf.org/rfc/rfc3580.txt" target="_blank" rel="nofollow noreferrer noopener">RFC3580</A>, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines". <BR /> <BR /> The rationale is to provide background regarding what a growing number of Enterasys products are now supporting: the ability to VLAN-assign a 802.1x Supplicant (user) at the time of Authentication (<A href="http://bit.ly/19LXsqz" target="_blank" rel="nofollow noreferrer noopener">5532</A>). This is implemented by means of the following Radius Tunnel Attributes: Tunnel-Type=13 (VLAN), Tunnel-Medium-Type=6 (802), Tunnel-Private-Group-ID=&lt;<I>VlanID</I>&gt;. <BR /> <BR /> Here is a list of these products as of June 14 2006:<UL> <LI>Matrix E1, firmware 3.05.09 and higher </LI><LI>Matrix N-Series (DFE), firmware 5.31.17 and higher </LI><LI>Matrix V2, firmware 2.5.1.1 and higher </LI><LI>RBT3K-xG (AP3000), firmware 2.1.1 and higher </LI><LI>SecureStack C2, firmware 3.02.30 and higher </LI><LI>SecureStack B2, firmware 1.01.25 and higher </LI><LI>SecureStack A2, firmware 1.01.20 and higher</LI></UL> To determine the degree of RFC 3580 support on a given hardware product, see that product's latest firmware release notes. <BR /> <BR /> <B>Solution<BR /> <BR /> </B>Abstract<BR /> <BR /> This document provides suggestions on Remote Authentication Dial In<BR /> User Service (RADIUS) usage by IEEE 802.1X Authenticators. The<BR /> material in this document is also included within a non-normative<BR /> Appendix within the IEEE 802.1X specification, and is being<BR /> presented as an IETF RFC for informational purposes.<BR /> <BR /> 3.31. Tunnel Attributes<BR /> <BR /> Reference [RFC2868] defines RADIUS tunnel attributes used for<BR /> authentication and authorization, and [RFC2867] defines tunnel<BR /> attributes used for accounting. Where the IEEE 802.1X Authenticator<BR /> supports tunneling, a compulsory tunnel may be set up for the<BR /> Supplicant as a result of the authentication.<BR /> <BR /> In particular, it may be desirable to allow a port to be placed<BR /> into a particular Virtual LAN (VLAN), defined in [IEEE8021Q], based<BR /> on the result of the authentication. This can be used, for example,<BR /> to allow a wireless host to remain on the same VLAN as it moves<BR /> within a campus network.<BR /> <BR /> The RADIUS server typically indicates the desired VLAN by including<BR /> tunnel attributes within the Access-Accept. However, the IEEE<BR /> 802.1X Authenticator may also provide a hint as to the VLAN to be<BR /> assigned to the Supplicant by including Tunnel attributes within<BR /> the Access-Request.<BR /> <BR /> For use in VLAN assignment, the following tunnel attributes are<BR /> used:<BR /> <BR /> Tunnel-Type=VLAN (13)<BR /> Tunnel-Medium-Type=802<BR /> Tunnel-Private-Group-ID=VLANID<BR /> <BR /> Note that the VLANID is 12-bits, taking a value between 1 and 4094,<BR /> inclusive. Since the Tunnel-Private-Group-ID is of type String as<BR /> defined in [RFC2868], for use with IEEE 802.1X, the VLANID integer<BR /> value is encoded as a string.<BR /> <BR /> When Tunnel attributes are sent, it is necessary to fill in the Tag<BR /> field. As noted in [RFC2868], section 3.1:<BR /> <BR /> The Tag field is one octet in length and is intended to <BR /> provide a means of grouping attributes in the same packet<BR /> which refer to the same tunnel. Valid values for this field<BR /> are 0x01 through 0x1F, inclusive. If the Tag field is unused,<BR /> it MUST be zero (0x00).<BR /> <BR /> For use with Tunnel-Client-Endpoint, Tunnel-Server-Endpoint,<BR /> Tunnel-Private-Group-ID, Tunnel-Assignment-ID, Tunnel-Client-Auth-<BR /> ID or Tunnel-Server-Auth-ID attributes (but not Tunnel-Type,<BR /> Tunnel-Medium-Type, Tunnel-Password, or Tunnel-Preference), a tag<BR /> field of greater than 0x1F is interpreted as the first octet of the<BR /> following field.<BR /> <BR /> Unless alternative tunnel types are provided, (e.g. for IEEE 802.1X<BR /> Authenticators that may support tunneling but not VLANs), it is<BR /> only necessary for tunnel attributes to specify a single tunnel. As<BR /> a result, where it is only desired to specify the VLANID, the tag<BR /> field SHOULD be set to zero (0x00) in all tunnel attributes. Where<BR /> alternative tunnel types are to be provided, tag values between<BR /> 0x01 and 0x1F SHOULD be chosen.<BR /> <BR /> See also: <A href="http://www.ietf.org/rfc/rfc2868.txt" target="_blank" rel="nofollow noreferrer noopener">RFC2868</A> and <A href="http://www.ietf.org/rfc/rfc2867.txt" target="_blank" rel="nofollow noreferrer noopener">RFC2867</A>.<BR /> Fri, 22 Nov 2013 08:32:00 GMT https://community.extremenetworks.com/t5/faqs/background-about-rfc-3580-s-vlan-assignment-upon-802-1x/m-p/42536#M114 FAQ_User 2013-11-22T08:32:00Z