Extended Triple Authentication Features - HPE FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
terminal. If the terminal fails 802.1X authentication, the user stays online as a MAC
authentication user, and only 802.1X authentication can be triggered again.
•
If the terminal first passes 802.1X or Web authentication, the other types of authentication are
terminated immediately and cannot be triggered again.
Extended triple authentication features
The following sections describe brief information about the authorization VLAN, authentication
failure VLAN, server-unreachable VLAN, authorization ACL, and online user detection features for
triple authentication. For more information about these features, see
"Configuring MAC
Authorization VLAN
After a user passes authentication, the authentication server assigns an authorization VLAN to the
access port for the user. The user can then access the network resources in the authorized VLAN.
Authentication failure VLAN
The access port adds a user to an authentication failure VLAN configured on the port after the user
fails authentication.
•
For an 802.1X authentication user—Adds the user to the Auth-Fail VLAN configured for 802.1X
authentication.
•
For a Web authentication user—Adds the user to the Auth-Fail VLAN configured for Web
authentication.
•
For a MAC authentication user—Adds the user to the guest VLAN configured for MAC
authentication.
The access port supports configuring all types of authentication failure VLANs at the same time. If a
user fails more than one type of authentication, the authentication failure VLAN of the user changes
as follows:
•
If a user in the Web Auth-Fail VLAN fails MAC authentication, the user is moved to the MAC
authentication guest VLAN.
•
If a user in the Web Auth-Fail VLAN or MAC authentication guest VLAN fails 802.1X
authentication, the user is moved to the 802.1X Auth-Fail VLAN.
•
If a user in the 802.1X Auth-Fail VLAN fails MAC authentication or Web authentication, the user
is still in the 802.1X Auth-Fail VLAN.
Server-unreachable VLAN
If a user fails authentication due to the unreachable server, the access port adds the user to an
server-unreachable VLAN.
•
For an 802.1X authentication user—Adds the user to the critical VLAN configured for 802.1X
authentication.
•
For a Web authentication user—Adds the user to the Auth-Fail VLAN configured for Web
authentication.
•
For a MAC authentication user—Adds the user to the critical VLAN configured for MAC
authentication.
The access port supports configuring all types of server-unreachable VLANs at the same time. A
user is added to the server-unreachable VLAN as follows:
•
If the user does not undergo 802.1X authentication, the user is added to the server-unreachable
VLAN configured for the last authentication.
•
If the user in the Web Auth-Fail VLAN or the MAC authentication critical VLAN also fails 802.1X
authentication, the user is added to the 802.1X authentication critical VLAN.
authentication," and
"Configuring Web
authentication."
606
"Configuring
802.1X,"
Advertisement
Table of Contents
Troubleshooting
