87
download anti-virus software and system patches. Once a user in the guest VLAN passes 802.1X
authentication, it is removed from the guest VLAN and can access authorized network resources.
The following describes the way that the network access device handles VLANs on the port that
performs port-based access control.
Authentication status VLAN manipulation
No 802.1X user has
performed authentication
within 90 seconds after
802.1X is enabled
Assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users
on this port can access only resources in the guest VLAN.
If no 802.1X guest VLAN is configured, the access device does not perform
any VLAN operation.
A user in the 802.1X guest
VLAN fails 802.1X
authentication
If an 802.1X Auth-Fail VLAN (see "
Auth-Fail VLAN
") is ava
ilable, assigns the
Auth-Fail VLAN to the port as the PVID. All users on this port can access
only resources in the Auth-Fail VLAN.
If no Auth-Fail VLAN is configured, the PVID on the port is still the 802.1X
guest VLAN. All users on the port are in the guest VLAN.
A user in the 802.1X guest
VLAN passes 802.1X
authentication
• Assigns the VLAN specified for the user to the port as the PVID, and
removes the port from the 802.1X guest VLAN. After the user logs off,
the user configured PVID restores.
• If the authentication server assigns no VLAN, the user-configured
PVID applies. The user and all subsequent 802.1X users are assigned
to the user-configured port VLAN. After the user logs off, the port
VLAN remains unchanged.
The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
For more information about VLAN configuration, see HPE FlexNetwork MSR Router Series
Comware 5 Layer 2—LAN Switching Configuration Guide.
Auth-Fail VLAN
Auth-Fail VLAN is not supported on ports that perform MAC-based access control.
You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication
because of the failure to comply with the organization security strategy, such as using a wrong
password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a
software server, to download anti-virus software and system patches.
The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for
authentication timeouts or network connection problems.
The following describes the way that the network access device handles VLANs on the port that
performs port-based access control.
Authentication status VLAN manipulation
A user fails 802.1X
authentication
Assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X users on
this port can access only resources in the Auth-Fail VLAN.
A user in the Auth-Fail VLAN
fails 802.1X re-authentication
The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users on
this port are in this VLAN.
A user passes 802.1X
authentication
• Assigns the VLAN specified for the user to the port as the PVID, and
removes the port from the Auth-Fail VLAN. After the user logs off, the
user-configured PVID restores.
• If the authentication server assigns no VLAN, the initial PVID applies.
The user and all subsequent 802.1X users are assigned to the
user-configured PVID. After the user logs off, the PVID remains
unchanged.
The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.
To Next Page
Loading...
Need help?
General
