88
For more information about VLAN configuration, see HPE FlexNetwork MSR Router Series
Comware 5 Layer 2—LAN Switching Configuration Guide.
Critical VLAN
Critical VLAN is not supported on ports that perform MAC-based access control.
Configure an 802.1X critical VLAN on a port to accommodate 802.1X users that fail authentication
because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users
in the critical VLAN can access a limit set of network resources depending on your configuration.
The critical VLAN feature takes effect when 802.1X authentication is performed only through
RADIUS servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is
not assigned to the critical VLAN. For more information about RADIUS configuration, see
"Configuring AAA."
The following describes the way that the network access device handles VLANs on the port that
performs port-based access control.
Authentication status VLAN manipulation
A user that has not been assigned to any
VLAN fails 802.1X authentication because
all the RADIUS servers are unreachable.
Assigns the critical VLAN to the port as the PVID. The 802.1X
user and all subsequent 802.1X users on this port can access
only resources in the critical VLAN.
A user in the 802.1X critical VLAN fails
authentication because all the RADIUS
servers are unreachable.
The critical VLAN is still the PVID of the port, and all 802.1X
users on this port are in this VLAN.
A user in the 802.1X critical VLAN fails
authentication for any other reason than
server unreachable.
If an Auth-Fail VLAN has been configured, the PVID of the
port changes to Auth-Fail VLAN ID, and all 802.1X users on
this port are moved to the Auth-Fail VLAN.
A user in the critical VLAN passes 802.1X
authentication.
• Assigns the VLAN specified for the user to the port as the
PVID, and removes the port from the critical VLAN. After
the user logs off, the default or user-configured PVID
restores.
• If the authentication server assigns no VLAN, the default
or user-configured PVID applies. The user and all
subsequent 802.1X users are assigned to this port
VLAN. After the user logs off, this PVID remains
unchanged.
A user in the 802.1X guest VLAN or the
Auth-Fail VLAN fails authentication
because all the RADIUS servers is
reachable.
The PVID of the port remains unchanged. All 802.1X users on
this port can access only resources in the guest VLAN or the
Auth-Fail VLAN.
The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member.
Any of the following RADIUS authentication server changes in the ISP domain for 802.1X users on a
port can cause the users to be removed from the critical VLAN:
• An authentication server is reconfigured, added, or removed.
• The status of any RADIUS authentication server automatically changes to active or is
administratively set to active.
• The RADIUS server probing function detects that a RADIUS authentication server is reachable
and sets its state to active.
You can use the dot1x critical recovery-action reinitialize command to configure the port to
trigger 802.1X re-authentication when the port or an 802.1X user on the port is removed from the
critical VLAN.
To Next Page
Loading...
Need help?
General
