Guest Vlan - HP MSR Series Configuration Manual
Hpe flexnetwork msr router series
Hide thumbs
Also See for MSR Series:
- Configuration manual (889 pages) ,
- Command reference manual (684 pages) ,
- Wan access configuration manual (293 pages)
Table of Contents
Advertisement
Table 6 VLAN manipulation
Port access control
method
Port-based
MAC-based
A hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not
reconfigure the port as a tagged member in the VLAN.
For more information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.
Guest VLAN
The 802.1X guest VLAN on a port accommodates users who have not performed 802.1X
authentication. Users in the guest VLAN can access a limited set of network resources, such as a
software server, to download antivirus software and system patches. Once a user in the guest VLAN
passes 802.1X authentication, it is removed from the guest VLAN and can access authorized
network resources.
The 802.1X guest VLAN takes effect only on a port that performs port-based access control.
The following table illustrates how the access device handles VLANs on an 802.1X-enabled port that
performs port-based access control:
Authentication status
A user has not passed 802.1X
authentication.
A user in the 802.1X guest
VLAN fails 802.1X
authentication.
A user in the 802.1X guest
VLAN passes 802.1X
authentication.
The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
For more information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.
VLAN manipulation
The device assigns the first authenticated user's authorization VLAN to the
port as the port VLAN (PVID). All subsequent 802.1X users can access the
VLAN without authentication.
When the first authenticated user logs off, the previous PVID is restored, and
all other online users are logged off.
The device assigns the first authenticated user's authorization VLAN to the
port as the PVID. If a different VLAN is authorized to a subsequent user, the
user cannot pass the authentication. To ensure successful authentication of
subsequent users, authorize the same VLAN to all 802.1X users on these
ports.
VLAN manipulation
The device assigns the 802.1X guest VLAN to the port as the PVID. All
802.1X users on this port can access only resources in the guest VLAN.
If no 802.1X guest VLAN is configured, the access device does not perform
any VLAN operation.
If an 802.1X Auth-Fail VLAN (see
assigns the Auth-Fail VLAN to the port as the PVID. All users on this port
can access only resources in the Auth-Fail VLAN.
If no Auth-Fail VLAN is configured, the PVID on the port is still the 802.1X
guest VLAN. All users on the port are in the guest VLAN.
•
The device assigns the authorization VLAN of the user to the port as
the PVID, and it removes the port from the 802.1X guest VLAN. After
the user logs off, the initial PVID of the port is restored.
•
If the authentication server does not authorize a VLAN, the initial PVID
applies. The user and all subsequent 802.1X users are assigned to the
initial port VLAN. After the user logs off, the port VLAN remains
unchanged.
NOTE:
The initial PVID of an 802.1X-enabled port refers to the PVID used by the
port before the port is assigned to any 802.1X VLANs.
90
"Auth-Fail
VLAN") is available, the device
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
