Support For Guest Vlan And Auth-Fail Vlan - H3C S5500-SI Series Operation Manual

Currently, port security supports two authentication methods: 802.1X and MAC authentication.
Different port security modes employ different authentication methods or different combinations of
authentication methods.
The maximum number of users a port supports is the lesser of the maximum number of secure
MAC addresses or the maximum number of authenticated users the security mode supports. For
example, in userLoginSecureExt mode, the maximum number of users a port supports is the lesser
of the maximum number of secure MAC addresses configured or the maximum number of users
that 802.1X supports.
These security mode naming rules may help you remember the modes:
userLogin specifies port-based 802.1X authentication.
macAddress specifies MAC address authentication.
Else specifies that the authentication method before Else is applied first. If the authentication fails,
the protocol type of the authentication request determines whether to turn to the authentication
method following the Else.
In a security mode with Or, the protocol type of the authentication request determines which
authentication method is to be used. However, 802.1X authentication is preferred by wireless
users.
userLogin with Secure specifies MAC-based 802.1X authentication.
Ext indicates allowing multiple 802.1X users to be authenticated and get online. A security mode
without Ext allows only one 802.1X user to be authenticated and get online.

Support for Guest VLAN and Auth-Fail VLAN

An 802.1X guest VLAN is the VLAN that a user is in before initiating authentication. An 802.1X Auth-Fail
VLAN or a MAC authentication guest VLAN is the VLAN that a user is in after failing authentication.
For a security mode that supports 802.1X authentication, you can configure a MAC-based guest
VLAN (802.1X MGV) or a MAC-based Auth-Fail VLAN (MAFV). For details about 802.1X MGV and
MAFV, refer to 802.1X Configuration in the Security Volume.
For a security mode that supports MAC authentication, you can configure a MAC-based guest
VLAN (MAC authentication MGV). For details about MAC authentication MGV, refer to MAC
Authentication Configuration in the Security Volume.
If you configure both an MAFV for 802.1X authentication and an MGV for MAC address authentication
on a port, a later-generated MAFV entry will overwrite the corresponding MGV entry, while a
later-generated MGV entry cannot overwrite the corresponding MAFV entry.
1-4