Vlan Assignment - HP FlexFabric 5700 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 5700 Series:
- Configuration manual (185 pages) ,
- Configuration manual (125 pages) ,
- Configuration manual (132 pages)
Table of Contents
Advertisement
For more information about configuring local authentication and RADIUS authentication, see
"Configuring
VLAN assignment
MAC authentication supports the authorization VLAN, guest VLAN, and critical VLAN.
Authorization VLAN
You can specify the authorization VLAN for a MAC authentication user to control access to authorized
network resources.
•
On a RADIUS server, the authorization VLAN can be specified in the form of VLAN ID or VLAN
name.
On the local access device, the authorization VLAN must be specified in the form of VLAN ID. You
•
can specify the authorization VLAN in the following views:
Local user view.
User group view.
For more information about local authorization VLAN configuration, see
When the MAC authentication user passes authentication, the authentication server (either the local
access device or a RADIUS server) assigns the authorization VLAN to the user.
The port through which the user accesses the device is assigned to the authorization VLAN. A hybrid port
is always assigned to a server-assigned authorization VLAN as an untagged member. After the
assignment, do not reconfigure the port as a tagged member in the VLAN.
Table 9
describes the way the network access device handles authorization VLANs for MAC
authenticated users.
Table 9 VLAN manipulation
Port type
•
Access port
•
Trunk port
•
Hybrid port with
MAC-based-VLAN disabled
Hybrid port with MAC-based VLAN
enabled
Guest VLAN
You can configure a MAC authentication guest VLAN on a port to accommodate users that have failed
MAC authentication on the port. Users in the MAC authentication guest VLAN can access a limited set
of network resources, such as a software server, to download software and system patches. If no MAC
authentication guest VLAN is configured, the users that have failed MAC authentication cannot access
any network resources.
A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After
the assignment, do not reconfigure the port as a tagged member in the VLAN.
AAA."
VLAN manipulation
The device assigns the first authenticated user's authorization VLAN to
the port as the PVID.
NOTE:
For these port types, you must assign the same authorization VLAN to
all MAC authentication users on a port. If a different authorization
VLAN is assigned to a subsequent user, the user cannot pass MAC
authentication.
The device maps the MAC address of each user to the authorization
VLAN. The PVID of the port does not change. When a user logs off, the
MAC-to-VLAN mapping for the user is removed.
102
"Configuring
AAA."
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
