98
Configuration procedure
To configure an 802.1X Auth-Fail VLAN:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter Ethernet interface
view.
interface
interface-type
interface-number
N/A
3. Configure the 802.1X
Auth-Fail VLAN on the port.
dot1x auth-fail vlan
authfail-vlan-id
By default, no 802.1X Auth-Fail
VLAN exists.
Configuring an 802.1X critical VLAN
Typically, when a client user is assigned to the 802.1X critical VLAN on a port, the device sends an
EAP-Failure packet to the client. For some specific 802.1X clients (for example, Windows built-in
802.1X clients), this mechanism causes reauthentication failure. After receiving an EAP-Failure
packet, such a client does not respond to the EAP-Request/Identity packet from the device when a
reachable authentication server is detected.
To solve this problem, configure the device to send EAP-Success packets for 802.1X user
assignment to the 802.1X critical VLAN. When a client receives an EAP-Success packet, it
determines that the 802.1X user comes online and it can respond to the EAP-Request/Identity
packet from the device for reauthentication.
Configuration guidelines
When you configure an 802.1X critical VLAN, follow these restrictions and guidelines:
• Assign different IDs to the voice VLAN, the PVID, and the 802.1X critical VLAN on a port. The
assignment makes sure the port can correctly process VLAN-tagged incoming traffic.
• You can configure only one 802.1X critical VLAN on a port. The 802.1X critical VLANs on
different ports can be different.
• You cannot specify a VLAN as both a super VLAN and an 802.1X critical VLAN. For information
about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Configuration prerequisites
Before you configure an 802.1X critical VLAN, complete the following tasks:
• Create the VLAN to be specified as a critical VLAN.
• If the 802.1X-enabled port performs MAC-based access control, perform the following
operations for the port:
{ Configure the port as a hybrid port.
{ Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see
Layer 2—LAN Switching Configuration Guide.
{ Assign the port to the 802.1X critical VLAN as an untagged member.
Configuration procedure
To configure an 802.1X critical VLAN:
To Next Page
Loading...
Need help?
General