HPE FlexNetwork 10500 Series Security Configuration Manual page 112
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
•
On a port that performs port-based access control:
Authentication status
A user accesses the
802.1X-enabled port when
the port is in auto state.
A user in the 802.1X guest
VLAN fails 802.1X
authentication.
A user in the 802.1X guest
VLAN passes 802.1X
authentication.
IMPORTANT:
When the port receives a packet with a VLAN tag, the packet will be forwarded within the VLAN
even if the VLAN is not the guest VLAN.
•
On a port that performs MAC-based access control:
Authentication
status
A user accesses the port
and has not performed
802.1X authentication.
A user in the 802.1X
guest VLAN fails 802.1X
authentication.
A user in the 802.1X
guest VLAN passes
802.1X authentication.
For the 802.1X guest VLAN feature to take effect on a port that performs MAC-based access
control, make sure the following requirements are met:
The port is a hybrid port.
MAC-based VLAN is enabled on the port.
The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN
Switching Configuration Guide.
VLAN manipulation
The device assigns the 802.1X guest VLAN to the port as the PVID. All
802.1X users on this port can access only resources in the guest VLAN.
If no 802.1X guest VLAN is configured, the access device does not
perform any VLAN operation.
If an 802.1X Auth-Fail VLAN (see
device assigns the Auth-Fail VLAN to the port as the PVID. All users on
this port can access only resources in the Auth-Fail VLAN.
If no Auth-Fail VLAN is configured, the PVID on the port is still the
802.1X guest VLAN. All users on the port are in the guest VLAN.
•
The device assigns the authorization VLAN of the user to the port
as the PVID, and it removes the port from the 802.1X guest VLAN.
After the user logs off, the initial PVID of the port is restored.
•
If the authentication server does not authorize a VLAN, the initial
PVID applies. The user and all subsequent 802.1X users are
assigned to the initial port VLAN. After the user logs off, the port
VLAN remains unchanged.
NOTE:
The initial PVID of an 802.1X-enabled port refers to the PVID used by
the port before the port is assigned to any 802.1X VLANs.
VLAN manipulation
The device creates a mapping between the MAC address of the user and
the 802.1X guest VLAN. The user can access only resources in the guest
VLAN.
If an 802.1X Auth-Fail VLAN is available, the device remaps the MAC
address of the user to the Auth-Fail VLAN. The user can access only
resources in the Auth-Fail VLAN.
If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X
guest VLAN.
The device remaps the MAC address of the user to the authorization
VLAN.
If the authentication server does not authorize a VLAN, the device remaps
the MAC address of the user to the initial PVID on the port.
95
"Auth-Fail
VLAN") is available, the
Advertisement
Table of Contents
Troubleshooting
