HPE FlexNetwork 7500 Series Security Configuration Manual page 110
Hide thumbs
Also See for FlexNetwork 7500 Series:
- Security configuration manual (506 pages) ,
- Command reference manual (474 pages) ,
- Network management and monitoring command reference (430 pages)
Table of Contents
Advertisement
not assigned to the critical VLAN. For more information about the authentication methods, see
"Configuring AAA."
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
•
On a port that performs port-based access control:
Authentication status
A user that has not been assigned to any
VLAN fails 802.1X authentication
because all the RADIUS servers are
unreachable.
A user in the 802.1X critical VLAN fails
authentication because all the RADIUS
servers are unreachable.
A user in the 802.1X critical VLAN fails
authentication for any reasons other than
unreachable servers.
A user in the 802.1X critical VLAN passes
802.1X authentication.
A user in the 802.1X guest VLAN fails
authentication because all the RADIUS
servers are unreachable.
A user in the 802.1X Auth-Fail VLAN fails
authentication because all the RADIUS
servers are unreachable.
A user who has passed authentication
fails reauthentication because all the
RADIUS servers are unreachable, and
the user is logged out of the device.
•
On a port that performs MAC-based access control:
Authentication status
A user that has not been assigned to any
VLAN fails 802.1X authentication because all
the RADIUS servers are unreachable.
A user in the 802.1X critical VLAN fails
authentication because all the RADIUS
servers are unreachable.
A user in the 802.1X critical VLAN fails
802.1X authentication for any reasons other
than unreachable servers.
VLAN manipulation
The device assigns the critical VLAN to the port as the
PVID. The 802.1X user and all subsequent 802.1X users
on this port can access only resources in the 802.1X
critical VLAN.
The critical VLAN is still the PVID of the port, and all
802.1X users on this port are in this VLAN.
If an 802.1X Auth-Fail VLAN has been configured, the
PVID of the port changes to the Auth-Fail VLAN ID, and all
802.1X users on this port are moved to the Auth-Fail
VLAN. If no 802.1X Auth-Fail VLAN is configured, the
initial PVID of the port is restored.
•
The device assigns the authorization VLAN of the
user to the port as the PVID, and it removes the port
from the 802.1X critical VLAN. After the user logs off,
the guest VLAN ID changes to the PVID. If no 802.1X
guest VLAN is configured, the initial PVID of the port
is restored.
•
If the authentication server (either the local access
device or a RADIUS server) does not authorize a
VLAN, the initial PVID of the port applies. The user
and all subsequent 802.1X users are assigned to this
port VLAN. After the user logs off, the PVID remains
unchanged.
The device assigns the 802.1X critical VLAN to the port as
the PVID, and all 802.1X users on this port are in this
VLAN.
The PVID of the port remains unchanged. All 802.1X users
on this port can access only resources in the 802.1X
Auth-Fail VLAN.
The device assigns the 802.1X critical VLAN to the port as
the PVID.
VLAN manipulation
The device maps the MAC address of the user to the
802.1X critical VLAN. The user can access only
resources in the 802.1X critical VLAN.
The user is still in the critical VLAN.
If an 802.1X Auth-Fail VLAN has been configured, the
device remaps the MAC address of the user to the
Auth-Fail VLAN ID.
If no 802.1X Auth-Fail VLAN has been configured, the
96
Advertisement
Table of Contents
Troubleshooting
