HP 5500 HI Series Configuration Manual page 89
Security
Hide thumbs
Also See for 5500 HI Series:
- Installation manual (72 pages) ,
- Compliance and safety manual (62 pages) ,
- Quickspecs (35 pages)
Table of Contents
Advertisement
Critical VLAN
You configure an 802.1X critical VLAN on a port to accommodate 802.1X users that fail authentication
because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users in the
critical VLAN can access a limit set of network resources depending on your configuration.
The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS
servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned
to the critical VLAN. For more information about RADIUS configuration, see
For more information about VLAN configuration and MAC-based VLAN, see Layer 2
Configuration Guide.
The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X
access control mode.
1.
On a port that performs port-based access control
Authentication status
A user that has not been assigned to any
VLAN fails 802.1X authentication because
all the RADIUS servers are unreachable.
A user in the 802.1X critical VLAN fails
authentication because all the RADIUS
servers are unreachable.
A user in the 802.1X critical VLAN fails
authentication for any other reason than
server unreachable.
A user in the critical VLAN passes 802.1X
authentication.
A user in the 802.1X guest VLAN or the
Auth-Fail VLAN fails authentication because
all the RADIUS servers is reachable.
2.
On a port that performs MAC-based access control
To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you
must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port.
Authentication status
A user that has not been assigned to any
VLAN fails 802.1X authentication because
all the RADIUS servers are unreachable.
VLAN manipulation
Assigns the critical VLAN to the port as the PVID. The 802.1X
user and all subsequent 802.1X users on this port can access
only resources in the critical VLAN.
The critical VLAN is still the PVID of the port, and all 802.1X
users on this port are in this VLAN.
If an Auth-Fail VLAN has been configured, the PVID of the port
changes to Auth-Fail VLAN ID, and all 802.1X users on this port
are moved to the Auth-Fail VLAN.
•
Assigns the VLAN specified for the user to the port as the
PVID, and removes the port from the critical VLAN. After the
user logs off, the default or user-configured PVID restores.
•
If the authentication server assigns no VLAN, the default or
user-configured PVID applies. The user and all subsequent
802.1X users are assigned to this port VLAN. After the user
logs off, this PVID remains unchanged.
The PVID of the port remains unchanged. All 802.1X users on
this port can access only resources in the guest VLAN or the
Auth-Fail VLAN.
VLAN manipulation
Maps the MAC address of the user to the critical VLAN. The
user can access only resources in the critical VLAN.
76
"Configuring
AAA."
LAN Switching
—
- Quick Links:
- Configuration Guide
- Configuring Aaa
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
