118
is not assigned to the critical VLAN. For more information about the authentication methods, see
"Configuring AAA"
Table 13
shows the way that the network access device handles critical voice VLANs for MAC
authentication voice users.
Table 13 VLAN manipulation
Authentication status VLAN manipulation
A voice user fails MAC authentication because
all the RADIUS servers are unreachable.
The device maps the MAC address of the voice user to the
MAC authentication critical voice VLAN.
The voice user is still in the MAC authentication critical
voice VLAN if the voice user fails MAC reauthentication
because all the RADIUS servers are unreachable.
If no MAC authentication critical voice VLAN is configured,
the device maps the MAC address of the voice user to the
PVID of the port.
A voice user in the MAC authentication critical
voice VLAN fails MAC authentication for any
other reason than server unreachable.
If a guest VLAN has been configured, the device maps the
MAC address of the voice user to the guest VLAN.
If no guest VLAN is configured, the device maps the MAC
address of the voice user to the PVID of the port.
A voice user in the MAC authentication critical
voice VLAN passes MAC authentication.
The device remaps the MAC address of the voice user to
the authorization VLAN assigned by the authentication
server.
If no authorization VLAN is configured for the voice user
on the authentication server, the device remaps the MAC
address of the voice user to the PVID of the access port.
ACL assignment
You can specify an authorization ACL in the user account for a MAC authentication user to control
the user's access to network resources. After the user passes MAC authentication, the
authentication server (local or remote) assigns the authorization ACL to the access port of the user.
The ACL will filter traffic for this user. You must configure ACL rules for the authorization ACL on the
access device for the ACL assignment feature.
To ensure a successful ACL assignment, make sure the ACL does not contain rules that match
source MAC addresses.
To change the access control criteria for the user, you can use one of the following methods:
• Modify ACL rules on the access device.
• Specify another authorization ACL on the authentication server.
For more information about ACLs, see ACL and QoS Configuration Guide.
User profile assignment
You can specify a user profile in the user account for a MAC authentication user to control the user's
access to network resources. After the user passes MAC authentication, the authentication server
assigns the user profile to the user to filter traffic for this user. The authentication server can be the
local access device or a RADIUS server. In either case, you must configure the user profile on the
access device.
To change the user's access permissions, you can use one of the following methods:
• Modify the user profile configuration on the access device.
• Specify another user profile for the user on the authentication server.
To Next Page
Loading...
Need help?
General