typically indicates the desired VLAN by including tunnel attributes within the Access-Accept message. This
procedure of getting the VLAN an binding it to the port constitutes to Dynamic VLAN assignment.
VLAN Assignment from RADIUS
After authentication is completed either through dot1x or MAB, the response from the RADIUS server can
have dynamic VLAN information, which can be assigned to a port. This information is present in response
from RADIUS server in Accept-Access message in the form of tunnel attributes. For use in VLAN assignment,
the following tunnel attributes are sent:
• Tunnel-type=VLAN(13)
• Tunnel-Medium-Type=802
• Tunnel-Private-Group-ID=VLANID
All the three parameters must be received for configuring access VLAN.
Single Host and Multiple Hosts Support
The 802.1X feature can restrict traffic on a port to only one endpoint device (single-host mode) or allow traffic
from multiple endpoint devices on a port (multi-host mode).
Single-host mode allows traffic from only one endpoint device on the 802.1X port. Once the endpoint device
is authenticated, the Cisco NX-OS device puts the port in the authorized state. When the endpoint device
leaves the port, the Cisco NX-OS device put the port back into the unauthorized state. A security violation in
802.1X is defined as a detection of frames sourced from any MAC address other than the single MAC address
authorized as a result of successful authentication. In this case, the interface on which this security association
violation is detected (EAPOL frame from the other MAC address) will be disabled. Single host mode is
applicable only for host-to-switch topology and when a single host is connected to the Layer 2 (Ethernet
access port) or Layer 3 port (routed port) of the Cisco NX-OS device.
Only the first host has to be authenticated on the 802.1X port configured with multiple host mode. The port
is moved to the authorized state after the successful authorization of the first host. Subsequent hosts are not
required to be authorized to gain network access once the port is in the authorized state. If the port becomes
unauthorized when reauthentication fails or an EAPOL logoff message is received, all attached hosts are
denied access to the network. The capability of the interface to shut down upon security association violation
is disabled in multiple host mode. This mode is applicable for both switch-to-switch and host-to-switch
topologies.
Supported Topology
The 802.1X port-based authentication supports point-to-point topology.
In this configuration, only one supplicant (client) can connect to the 802.1X-enabled authenticator (Cisco
NX-OS device) port. The authenticator detects the supplicant when the port link state changes to the up state.
If a supplicant leaves or is replaced with another supplicant, the authenticator changes the port link state to
down, and the port returns to the unauthorized state.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
182
Configuring 802.1X
VLAN Assignment from RADIUS