Item
Enable Re-Authentication
Guest VLAN
Enable MAC VLAN
Auth-Fail VLAN
Configuring an 802.1X guest VLAN
Configuration prerequisites
Create the VLAN to be specified as the 802.1X guest VLAN.
•
•
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an
untagged member.
Configuration guidelines
The 802.1X guest VLANs on different ports can be different.
•
Assign different IDs to the port VLAN and the 802.1X guest VLAN on a port, so the port can
•
correctly process incoming VLAN tagged traffic.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member.
•
After the assignment, do not reconfigure the port as a tagged member in the VLAN.
•
Use
Table 106
Description
Specifies whether to enable periodic online user re-authentication on the
port.
Periodic online user re-authentication tracks the connection status of online
users and updates the authorization attributes assigned by the server, such as
the ACL, and VLAN. The re-authentication interval is specified by the
Re-Authentication Period setting in
NOTE:
•
The periodic online user re-authentication timer can also be set by the
authentication server in the session-timeout attribute. The server-assigned
timer overrides the timer setting on the access device, and it enables
periodic online user re-authentication, even if the function is not
configured on the access device. Support for the server assignment of
re-authentication timer and the re-authentication timer configuration on
the server vary with servers.
•
The VLAN assignment status must be consistent before and after
re-authentication. If the authentication server has assigned a VLAN before
re-authentication, it must also assign a VLAN at re-authentication. If the
authentication server has assigned no VLAN before re-authentication, it
must not assign one at re-authentication. Violation of either rule can cause
the user to be logged off. The VLANs assigned to an online user before
and after re-authentication can be the same or different.
Specifies an existing VLAN as the guest VLAN.
For more information, see
Specifies whether to enable MAC-based VLAN.
Required when MAC Based is selected for Port Control.
NOTE:
Only hybrid ports support the feature.
Specifies an existing VLAN as the Auth-Fail VLAN to accommodate users that
have failed 802.1X authentication.
For more information, see
when you configure multiple security features on a port.
Table
"Configuring an 802.1X guest
"Configuring an Auth-Fail
335
104.
VLAN."
VLAN."