Table of Contents
Advertisement
On a periodic online user re-authentication enabled port, if a user has been online before you enable
the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the
user unless the user passes re-authentication and the VLAN for the user has changed.
Guest VLAN
You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X
authentication, so they can access a limited set of network resources, such as a software server, to
download anti-virus software and system patches. Once a user in the guest VLAN passes 802.1X
authentication, it is removed from the guest VLAN and can access authorized network resources.
The way that the network access device handles VLANs on the port differs by 802.1X access control
mode.
•
On a port that performs port-based access control:
Authentication status
No 802.1X user has
performed authentication
within 90 seconds after
802.1X is enabled.
A user in the 802.1X guest
VLAN fails 802.1X
authentication.
A user in the 802.1X guest
VLAN passes 802.1X
authentication.
•
On a port that performs MAC-based access control:
Authentication status
A user has not passed
802.1X authentication yet.
A user in the 802.1X guest
VLAN fails 802.1X
authentication.
A user in the 802.1X guest
VLAN passes 802.1X
authentication.
To use the 802.1X guest VLAN function on a port that performs MAC-based access control, make
sure the port is a hybrid port, and enable MAC-based VLAN on the port.
The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
Auth-Fail VLAN
You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication
because of the failure to comply with the organization security strategy, such as using a wrong
VLAN manipulation
The device assigns the 802.1X guest VLAN to the port as the PVID. All
802.1X users on this port can access only resources in the guest VLAN.
If no 802.1X guest VLAN is configured, the access device does not
perform any VLAN operation.
If an 802.1X Auth-Fail VLAN (see
device assigns the Auth-Fail VLAN to the port as the PVID. All users on
this port can access only resources in the Auth-Fail VLAN.
If no Auth-Fail VLAN is configured, the PVID on the port is still the
802.1X guest VLAN. All users on the port are in the guest VLAN.
•
The device assigns the VLAN specified for the user to the port as
the PVID, and removes the port from the 802.1X guest VLAN.
After the user logs off, the user configured PVID restores.
•
If the authentication server assigns no VLAN, the user configured
PVID applies. The user and all subsequent 802.1X users are
assigned to the user-configured PVID. After the user logs off, the
PVID remains unchanged.
VLAN manipulation
The device creates a mapping between the MAC address of the user
and the 802.1X guest VLAN. The user can access resources in the
guest VLAN.
If an 802.1X Auth-Fail VLAN is available, the device remaps the MAC
address of the user to the Auth-Fail VLAN. The user can access only
resources in the Auth-Fail VLAN.
If no 802.1X Auth-Fail VLAN is configured, the user is still in the guest
VLAN.
The device remaps the MAC address of the user to the authorized
VLAN.
If the authentication server assigns no authorized VLAN, the device
remaps the MAC address of the user to the initial PVID on the port.
260
"Auth-Fail
VLAN") is available, the
Hide quick links:
Advertisement
Table of Contents
