Configuring An 802.1X Guest Vlan - HP 5120 SI Series Security Configuration Manual
Hide thumbs
Also See for 5120 SI Series:
- Command reference manual (395 pages) ,
- Installation manual (48 pages) ,
- Specification (33 pages)
Table of Contents
Advertisement
The periodic online user re-authentication timer can also be set by the authentication server in the
session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and
enables periodic online user re-authentication, even if the function is not configured. Support for the
server assignment of re-authentication timer and the re-authentication timer configuration on the server
vary with servers.
NOTE:
The VLAN assignment status must be consistent before and after re-authentication. If the authentication
•
server has assigned a VLAN before re-authentication, it must also assign a VLAN at re-authentication.
If the authentication server has assigned no VLAN before re-authentication, it must not assign one at
re-authentication. Violation of either rule can cause the user to be logged off. The VLANs assigned to an
online user before and after re-authentication can be the same or different.
If no critical VLAN is configured, RADIUS server unreachable can cause an online user being
•
re-authenticated to be logged off. If a critical VLAN is configured, the user remains online and in the
original VLAN.
Configuring an 802.1X guest VLAN
Configuration guidelines
Follow these guidelines when configuring an 802.1X guest VLAN:
•
You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different
ports can be different.
Assign different IDs for the voice VLAN, default VLAN, and 802.1X guest VLAN on a port, so the
•
port can correctly process incoming VLAN tagged traffic.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member.
•
After the assignment, do not re-configure the port as a tagged member in the VLAN.
Table 8 Relationships of the 802.1X guest VLAN and other security features
Feature
MAC authentication guest VLAN
on a port that performs
MAC-based access control
802.1X Auth-Fail VLAN on a port
that performs MAC-based access
control
Port intrusion protection on a port
that performs MAC-based access
control
Configuration prerequisites
Create the VLAN to be specified as the 802.1X guest VLAN.
•
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
•
Relationship description
Only the 802.1X guest VLAN take effect. A
user that fails MAC authentication is not
assigned to the MAC authentication guest
VLAN.
The 802.1X Auth-Fail VLAN has a higher
priority
The 802.1X guest VLAN function has
higher priority than the block MAC action
but lower priority than the shut down port
action of the port intrusion protection
feature.
78
Reference
The chapter "MAC
authentication
configuration"
The chapter "802.1X
configuration"
The chapter "Port security
configuration"
Advertisement
Table of Contents
Troubleshooting
