78
A user
in the 802.1X critical VLAN passes
802.1X authentication.
The device remaps the MAC address of the user to the
authorization VLAN.
If the authentication server (either the local access device
or a RADIUS server) does not authorize a VLAN to the
user, the device remaps the MAC address of the user to
the initial PVID on the port.
A user in the 802.1X guest VLAN fails
authentication because all the RADIUS servers
are unreachable.
The device remaps the MAC address of the user to the
802.1X critical VLAN. The user can access only resources
in the 802.1X critical VLAN.
A user in the 802.1X Auth-Fail
authentication because all the RADIUS servers
are unreachable.
The user remains in the 802.1X Auth-Fail VLAN.
For the 802.1X critical VLAN feature to take effect on a port that performs MAC-based access
control, make sure the following requirements are met:
ï‚¡ The port is a hybrid port.
ï‚¡ MAC-based VLAN is enabled on the port.
The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN
Switching Configuration Guide.
When a reachable RADIUS server is detected, the device performs the following operations:
ï‚¡ If MAC-based access control is used, the device removes 802.1X users from the critical
VLAN. The port sends unicast Identity EAP/Request packets to these users to trigger
authentication.
ï‚¡ If port-based access control is used, the device removes the port from the critical VLAN.
The port sends a multicast Identity EAP/Request to all 802.1X users on the port to trigger
authentication.
Critical voice VLAN
This feature is available in Release 1121 and later.
The 802.1X critical voice VLAN on a port accommodates 802.1X voice users who have failed
authentication because none of the RADIUS servers in their ISP domain is reachable.
The critical voice VLAN feature takes effect when 802.1X authentication is performed only through
RADIUS servers. If an 802.1X voice user fails local authentication after RADIUS authentication, the
voice user is not assigned to the critical voice VLAN. For more information about the authentication
methods, see "Configuring AAA."
When a reachable RADIUS server is detected, the device performs the following operations:
• If port-based access control is used, the device removes the port from the critical voice VLAN.
The port sends a multicast EAP-Request/Identity packet to all 802.1X voice users on the port to
trigger authentication.
• If MAC-based access control is used, the device removes 802.1X voice users from the critical
voice VLAN. The port sends a unicast EAP-Request/Identity packet to each 802.1X voice user
that was assigned to the critical voice VLAN to trigger authentication.
To Next Page
Loading...
Need help?
General