Vlan Assignment - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
VLAN assignment
MAC authentication supports the authorization VLAN, guest VLAN, and critical VLAN.
Authorization VLAN
You can specify the authorization VLAN for a MAC authentication user to control access to
authorized network resources.
•
On a RADIUS server, the authorization VLAN can be specified in the form of VLAN ID or VLAN
name.
•
On the local access device, the authorization VLAN must be specified in the form of VLAN ID.
You can specify the authorization VLAN in the following views:
Local user view.
User group view.
For more information about local authorization VLAN configuration, see
When the MAC authentication user passes authentication, the authentication server (either the local
access device or a RADIUS server) assigns the authorization VLAN to the user.
The port through which the user accesses the device is assigned to the authorization VLAN. A hybrid
port is always assigned to a server-assigned authorization VLAN as an untagged member. After the
assignment, do not reconfigure the port as a tagged member in the VLAN.
Table 9
describes the way the network access device handles authorization VLANs for MAC
authenticated users.
Table 9 VLAN manipulation
Port type
•
Access port
•
Trunk port
•
Hybrid port with
MAC-based-VLAN disabled
Hybrid port with MAC-based VLAN
enabled
Guest VLAN
You can configure a MAC authentication guest VLAN on a port to accommodate users that have
failed MAC authentication on the port. Users in the MAC authentication guest VLAN can access a
limited set of network resources, such as a software server, to download software and system
patches. If no MAC authentication guest VLAN is configured, the users that have failed MAC
authentication cannot access any network resources.
A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After
the assignment, do not reconfigure the port as a tagged member in the VLAN.
Table 10
shows the way that the network access device handles guest VLANs for MAC
authentication users.
VLAN manipulation
The device assigns the first authenticated user's authorization VLAN
to the port as the PVID.
NOTE:
For these port types, you must assign the same authorization VLAN
to all MAC authentication users on a port. If a different authorization
VLAN is assigned to a subsequent user, the user cannot pass MAC
authentication.
The device maps the MAC address of each user to the authorization
VLAN. The PVID of the port does not change. When a user logs off,
the MAC-to-VLAN mapping for the user is removed.
115
"Configuring
AAA."
Advertisement
Table of Contents
Troubleshooting
