89
Feature Relationship description Reference
MAC authentication guest VLAN
on a port that performs
MAC-based access control
The 802.1X Auth-Fail VLAN has a high
priority.
See "Configuring MAC
authentication"
Port intrusion protection on a port
that performs MAC-based access
control
The 802.1X Auth-Fail VLAN function has
higher priority than the block MAC action
but lower priority than the shut down port
action of the port intrusion protection
feature.
See "Configuring port
security"
Configuration prerequisites
• Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
• If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger
(dot1x multicast-trigger).
• If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged
member. For more information about the MAC-based VLAN function, see Layer 2
—
LAN Switching
Configuration Guide.
Configuration procedure
To configure an Auth-Fail VLAN:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter Ethernet interface view.
interface interface-type
interface-number
N/A
3. Configure the Auth-Fail VLAN
on the port.
dot1x auth-fail vlan authfail-vlan-id
By default, no Auth-Fail VLAN is
configured.
Configuring an 802.1X critical VLAN
Configuration guidelines
• Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X critical VLAN on a port, so
the port can correctly process VLAN tagged incoming traffic.
• You can configure only one 802.1X critical VLAN on a port. The 802.1X critical VLANs on different
ports can be different.
• You cannot specify a VLAN as both a super VLAN and an 802.1X critical VLAN. For information
about super VLANs, see Layer 2
—
LAN Switching Configuration Guide.
• If 802.1X clients in your network cannot trigger an immediate DHCP-assigned IP address renewal
in response to a VLAN change, the 802.1X users cannot access authorized network resources
immediately after an 802.1X authentication is complete. As a solution, remind the 802.1X users to
To Next Page
Loading...
Need help?
General
