In RFC4675 the Egress-VLANID attribute is
specified. With this attribute you can send back one or multiple VLANs to the network access devices. One of
these VLANs can be untagged.
The RFC specifies a hex-format, which is somewhat easy to read. You only need to interpret the last 3 digits as
a hex value for the VLAN ID.
In ClearPass these values need to specify as a decimal value, causing the values to become somewhat
unrecognizable to the human eye.
With this tool you can convert the decimal values back to a human readable form and also generate a XML
enforcement profiles to import it into ClearPass.
If you only want to convert one VLAN to the decimal representation, simply enter it and only copy the "value"
field from the XML output.
If you encounter the decimal value in the ClearPass Enforcement Profile you can convert it back.
Valid values are between 822083585 (VLAN ID 1 tagged) and 838864894 (VLAN ID 4094 untagged).
Format | Mode | Padding | VLAN ID |
---|---|---|---|
Human | |||
Hex |
You can add different VLANs and optionally set the port to Device/Infrastructure Mode for AOS-S or AOS-CX.
With the port set to device/infrastructure mode instead of user mode, only the first device on the ports
gets authenticated and clients (mac addresses) seen afterwards, are free to communicate.
This is used in
conjunction with Access Points or desktop switches, where the AP/Switch is used to authenticate further clients.
For AOS-S there are two attributes for the device mode. One attribute for MAC Auth, the other for Dot1x/Radius
Auth.
You need to select the appropriated method for your use case, depending on whether the device is authenticated
via
MAC or via dot1x.
VLAN ID | Mode | Delete? |
---|---|---|
- | untagged |