HP 10500 Series Configuration Manual page 92
Security configuration guide
Hide thumbs
Also See for 10500 Series:
- Security configuration manual (596 pages) ,
- Configuration manual (512 pages) ,
- Specifications (42 pages)
Table of Contents
Advertisement
Authentication status
A user in the 802.1X guest
VLAN fails 802.1X
authentication
A user in the 802.1X guest
VLAN passes 802.1X
authentication
To use the 802.1X guest VLAN function on a port that performs MAC-based access control, make sure
that the port is a hybrid port, and enable MAC-based VLAN on the port.
The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching
Configuration Guide.
Auth-Fail VLAN
You can configure an Auth-Fail VLAN to accommodate users who have failed 802.1X authentication
because of the failure to comply with the organization security strategy, such as using a wrong password.
Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to
download anti-virus software and system patches.
The Auth-Fail VLAN does not accommodate 802.1X users who have failed authentication for
authentication timeouts or network connection problems. The way that the network access device
handles VLANs on the port differs by 802.1X access control mode.
1.
On a port that performs port-based access control
Authentication status
A user fails 802.1X
authentication
A user in the Auth-Fail VLAN
fails 802.1X re-authentication
A user passes 802.1X
authentication
2.
On a port that performs MAC-based access control
Authentication status
A user fails 802.1X
authentication
A user in the Auth-Fail VLAN
fails 802.1X re-authentication
VLAN manipulation
If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the user
to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN.
If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X guest
VLAN.
Re-maps the MAC address of the user to the VLAN specified for the user.
If the authentication server assigns no VLAN, re-maps the MAC address of the
user to the initial PVID on the port.
VLAN manipulation
Assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X users on this
port can access only resources in the Auth-Fail VLAN.
The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users on this
port are in this VLAN.
•
Assigns the VLAN specified for the user to the port as the PVID, and
removes the port from the Auth-Fail VLAN. After the user logs off, the
user-configured PVID restores.
•
If the authentication server assigns no VLAN, the initial PVID applies. The
user and all subsequent 802.1X users are assigned to the user-configured
PVID. After the user logs off, the PVID remains unchanged.
VLAN manipulation
Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can
access only resources in the Auth-Fail VLAN.
The user is still in the Auth-Fail VLAN.
82
Advertisement
Table of Contents
Troubleshooting
