H3C S5500-SI Series Operation Manual page 600
Hide thumbs
Also See for S5500-SI Series:
- Configuration manual (130 pages) ,
- Installation manual (86 pages) ,
- Operation manual (57 pages)
Table of Contents
Advertisement
If a user of a port in the guest VLAN initiates authentication process but fails the authentication, the
device will add the user to the Auth-Fail VLAN of the port configured for the port, if any. If no Auth-Fail
VLAN is configured, the device will keep the user in the guest VLAN.
If a user of a port in the guest VLAN initiates authentication and passes the authentication, the device
will add the user to the assigned VLAN or return the user to the initial VLAN of the port, depending on
whether the authentication server assigns a VLAN.
Auth-Fail VLAN
The Auth-Fail VLAN feature allows users failing authentication to access a specified VLAN, which is
called the Auth-Fail VLAN. Note that failing authentication means being denied by the authentication
server due to reasons such as wrong password. Authentication failures caused by authentication
timeout or network connection problems do not fall into this category.
Similar to a guest VLAN, an Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or a
MAC-based Auth-Fail VLAN (MAFV), depending on the port access control method.
1)
PAFV
PAFV refers to the Auth-Fail VLAN configured on a port that uses the port-based access control method.
With PAFV configured on a port, if a user on the port fails authentication, the port will be added to the
Auth-Fail VLAN and all users accessing the port will be authorized to access the resources in the
Auth-Fail VLAN. The device adds a PAFV-configured port into the Auth-Fail VLAN according to the
port's link type in the similar way as described in
If a user of a port in the Auth-Fail VLAN initiates authentication but fails the authentication, the port stays
in the Auth-Fail VLAN. If the user passes the authentication successfully, the port leaves the Auth-Fail
VLAN, and:
If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user goes
offline, the port returns to its initial VLAN, that is, the VLAN the port was in before it was added to
any authorized VLAN.
If the authentication server assigns no VLAN, the port returns to its initial VLAN. After the client
goes offline, the port still stays in its initial VLAN.
2)
MAFV
MAFV refers to the Auth-Fail VLAN configured on a port that uses the MAC-based access control
method. With MAFV configured on a port, if a user on the port fails authentication, the user will be
authorized to access the resources in the Auth-Fail VLAN. If the user initiates authentication again and
passes the authentication, the device will add the user to the assigned VLAN or return the user to the
initial VLAN of the port, depending on whether the authentication server assigns a VLAN.
ACL assignment
ACLs provide a way of controlling access to network resources and defining access rights. When a user
logs in through a port, and the RADIUS server is configured with authorization ACLs, the device will
permit or deny data flows traversing through the port according to the authorization ACLs. Before
specifying authorization ACLs on the server, you need to configure the ACL rules on the device. You
can change the access rights of users by modifying authorization ACL settings on the RADIUS server or
changing the corresponding ACL rules on the device.
Online User Handshake Function
The online user handshake function allows the device to send handshake messages to online users to
check whether the users are still online at the interval specified by the dot1x timer handshake-period
VLAN assignment.
1-12
Advertisement
Chapters
Table of Contents
Troubleshooting
