HP 3600 v2 Series Security Configuration Manual page 97
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (449 pages) ,
- Installation manual (62 pages)
Table of Contents
Advertisement
Access control
IMPORTANT:
•
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the
assignment, do not re-configure the port as a tagged member in the VLAN.
•
On a periodic online user re-authentication enabled port, if a user has been online before you enable the
MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless
the user passes re-authentication and the VLAN for the user has changed.
•
For more information about VLAN configuration and MAC-based VLAN, see Layer 2
Configuration Guide.
Guest VLAN
You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X
authentication, so they can access a limited set of network resources, such as a software server, to
download anti-virus software and system patches. After a user in the guest VLAN passes 802.1X
authentication, it is removed from the guest VLAN and can access authorized network resources. The
way that the network access device handles VLANs on the port differs by 802.1X access control mode.
On a port that performs port-based access control
1.
Authentication status
No 802.1X user has
performed authentication
within 90 seconds after
802.1X is enabled
A user in the 802.1X guest
VLAN fails 802.1X
authentication
A user in the 802.1X guest
VLAN passes 802.1X
authentication
On a port that performs MAC-based access control
2.
Authentication status
A user has not passed 802.1X
authentication yet
A user in the 802.1X guest
VLAN fails 802.1X
authentication
VLAN manipulation
VLAN manipulation
Assigns the 802.1X guest VLAN to the port as the default VLAN. All 802.1X
users on this port can access only resources in the guest VLAN.
If no 802.1X guest VLAN is configured, the access device does not perform
any VLAN operation.
If an 802.1X Auth-Fail VLAN (see
Auth-Fail VLAN to the port as the default VLAN. All users on this port can
access only resources in the Auth-Fail VLAN.
If no Auth-Fail VLAN is configured, the default VLAN on the port is still the
802.1X guest VLAN. All users on the port are in the guest VLAN.
•
Assigns the VLAN specified for the user to the port as the default VLAN,
and removes the port from the 802.1X guest VLAN. After the user logs off,
the user configured default VLAN restores.
•
If the authentication server assigns no VLAN, the user configured default
VLAN applies. The user and all subsequent 802.1X users are assigned to
the user-configured default VLAN. After the user logs off, the default VLAN
remains unchanged.
VLAN manipulation
Creates a mapping between the MAC address of the user and the 802.1X
guest VLAN. The user can access resources in the guest VLAN.
If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the
user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail
VLAN.
If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X guest
VLAN.
86
LAN Switching
—
"Auth-Fail
VLAN") is available, assigns the
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
