105
A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After
the assignment, do not reconfigure the port as a tagged member in the VLAN.
Table 10 shows the way that the network access device handles guest VLANs for MAC
authentication users.
Table 10 VLAN manipulation
A user in the MAC authentication
guest VLAN fails MAC
authentication for any other
reason than server unreachable.
The user is still in the MAC authentication guest VLAN.
A user in the MAC authentication
guest VLAN passes MAC
authentication.
The device remaps the MAC address of the user to the authorization
VLAN assigned by the authentication server.
If no authorization VLAN is configured for the user on the authentication
server, the device remaps the MAC address of the user to the PVID of
the port.
Critical VLAN
You can configure a MAC authentication critical VLAN on a port to accommodate users that fail MAC
authentication because no RADIUS authentication server is reachable. Users in a MAC
authentication critical VLAN can access only network resources in the critical VLAN.
The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS
servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user
is not assigned to the critical VLAN. For more information about the authentication methods, see
"Configuring AAA."
Table 11 shows the way that the network access device handles critical VLANs for MAC
authentication users.
Table 11 VLAN manipulation
A user that has not been assigned to any VLAN
fails MAC
authentication because all the
RADIUS servers are unreachable.
The device maps the MAC address of the user to the MAC
authentication critical VLAN.
The user is still in the MAC authentication critical VLAN if
the user fails MAC re
authentication because all the
RADIUS servers are unreachable.
A user in the MAC authentication critical VLAN
fails MAC authentication for any other reason
than server unreachable.
If a guest VLAN has been configured, the device maps the
MAC address of the user to the guest VLAN.
If no guest VLAN is configured, the device remaps the
MAC address of the user to the PVID of the port.
A user in the MAC authentication critical VLAN
passes MAC authentication.
The device remaps the MAC address of the user to the
authorization VLAN assigned by the authentication server.
If no authorization VLAN is configured for the user on the
authentication server, the device
address of the user to the PVID of the access port.
ACL assignment
You can specify an authorization ACL in the user account for a MAC authentication user to control
the user's access to network resources. After the user passes MAC authentication, the
authentication server (local or remote) assigns the authorization ACL to the access port of the user.
To Next Page
Loading...
Need help?
General