HP 10500 Series Configuration Manual page 94

Authentication status
A user in the 802.1X guest VLAN or the Auth-Fail
VLAN fails authentication because all the
RADIUS servers is reachable.
2. On a port that performs MAC-based access control
Authentication status
A user who has not been assigned to any VLAN
fails 802.1X authentication because all the
RADIUS servers are unreachable.
A user in the 802.1X critical VLAN fails
authentication because all the RADIUS servers
are unreachable.
A user in the critical VLAN fails 802.1X
authentication for any other reason than server
unreachable.
A user in the critical VLAN passes 802.1X
authentication.
A user in the 802.1X guest VLAN or the Auth-Fail
VLAN fails authentication because all the
RADIUS server are unreachable.
A user in the MAC authentication guest VLAN
fails 802.1X authentication because all the
802.1X authentication server are unreachable.
NOTE:
The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member.
Any of the following RADIUS authentication server changes in the ISP domain for 802.1X users on a port
can cause the users to be removed from the critical VLAN:
An authentication server is reconfigured, added, or removed.
•
• The status of any RADIUS authentication server automatically changes to active or is
administratively set to active.
The RADIUS server probing function detects that a RADIUS authentication server is reachable and
•
sets its state to active.
You can use the dot1x critical recovery-action reinitialize command to configure the port to trigger
802.1X re-authentication when the port or an 802.1X user on the port is removed from the critical VLAN.
If MAC-based access control is used, the port sends a unicast Identity EAP/Request to the 802.1X
•
user to trigger authentication.
If port-based access control is used, the port sends a multicast Identity EAP/Request to the 802.1X
•
users to trigger authentication.
VLAN manipulation
The PVID of the port remains unchanged. All 802.1X users
on this port can access only resources in the guest VLAN or
the Auth-Fail VLAN.
VLAN manipulation
Maps the MAC address of the user to the critical VLAN. The
user can access only resources in the critical VLAN.
The user is still in the critical VLAN.
If an Auth-Fail VLAN has been configured, re-maps the
MAC address of the user to the Auth-Fail VLAN ID.
Re-maps the MAC address of the user to the server-assigned
VLAN.
If the authentication server assigns no VLAN, re-maps the
MAC address of the user to the default or user-configured
PVID on the port.
The user remains in the 802.1X VLAN or the Auth-Fail
VLAN.
The user is removed from the MAC authentication VLAN
and mapped to the 802.1X critical VLAN.
84