Item
Guest VLAN
Enable MAC VLAN
Auth-Fail VLAN
Configuring an 802.1X guest VLAN
Configuration prerequisites
•
Create the VLAN to be specified as the 802.1X guest VLAN.
•
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid
port, enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an
untagged member.
Configuration guidelines
•
The 802.1X guest VLANs on different ports can be different.
•
Assign different IDs to the port VLAN and the 802.1X guest VLAN on a port, so the port can
correctly process incoming VLAN tagged traffic.
•
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged
member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.
•
Use
Table 99
Table 99 Relationships of the 802.1X guest VLAN and other security features
Feature
MAC authentication guest VLAN on a port that
performs MAC-based access control
802.1X Auth-Fail VLAN on a port that
performs MAC-based access control
Port intrusion protection on a port that
Description
•
The periodic online user re-authentication timer can also be set by the
authentication server in the session-timeout attribute. The
server-assigned timer overrides the timer setting on the access
device, and it enables periodic online user re-authentication, even if
the function is not configured on the access device. Support for the
server assignment of re-authentication timer and the re-authentication
timer configuration on the server vary with servers.
•
The VLAN assignment status must be consistent before and after
re-authentication. If the authentication server has assigned a VLAN
before re-authentication, it must also assign a VLAN at
re-authentication. If the authentication server has assigned no VLAN
before re-authentication, it must not assign one at re-authentication.
Violation of either rule can cause the user to be logged off. The VLANs
assigned to an online user before and after re-authentication can be
the same or different.
Specify an existing VLAN as the guest VLAN.
For more information, see
Specify whether to enable MAC-based VLAN.
Required when MAC Based is selected for Port Control.
NOTE:
Only hybrid ports support the feature.
Specify an existing VLAN as the Auth-Fail VLAN to accommodate users
that have failed 802.1X authentication.
For more information, see
when you configure multiple security features on a port.
"Configuring an 802.1X guest
"Configuring an Auth-Fail
Relationship description
Only the 802.1X guest VLAN take effect. A user that
fails MAC authentication will not be assigned to the
MAC authentication guest VLAN.
The 802.1X Auth-Fail VLAN has a higher priority.
The 802.1X guest VLAN function has higher priority
than the block MAC action, but it has lower priority
265
VLAN."
VLAN."