Critical Vlan - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
Authentication status
A user fails 802.1X
authentication.
A user in the 802.1X
Auth-Fail VLAN fails 802.1X
authentication because of
any other reason except for
unreachable servers.
A user passes 802.1X
authentication.
•
On a port that performs MAC-based access control:
Authentication status
A user fails 802.1X
authentication.
A user in the 802.1X
Auth-Fail VLAN fails 802.1X
authentication because of
any other reason except for
unreachable servers.
A user in the 802.1X
Auth-Fail VLAN passes
802.1X authentication.
For the 802.1X Auth-Fail VLAN feature to take effect on a port that performs MAC-based
access control, make sure the following requirements are met:
The port is a hybrid port.
MAC-based VLAN is enabled on the port.
The access device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN
Switching Configuration Guide.
Critical VLAN
The 802.1X critical VLAN on a port accommodates 802.1X users who have failed authentication
because none of the RADIUS servers in their ISP domain is reachable. Users in the critical VLAN
can access a limited set of network resources depending on the configuration.
The critical VLAN feature takes effect when 802.1X authentication is performed only through
RADIUS servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is
not assigned to the critical VLAN. For more information about the authentication methods, see
"Configuring
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
VLAN manipulation
The device assigns the Auth-Fail VLAN to the port as the PVID. All
802.1X users on this port can access only resources in the Auth-Fail
VLAN.
The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users
on this port are in this VLAN.
•
•
VLAN manipulation
The device maps the MAC address of the user to the 802.1X Auth-Fail
VLAN. The user can access only resources in the Auth-Fail VLAN.
The user is still in the Auth-Fail VLAN.
The device remaps the MAC address of the user to the authorization
VLAN.
If the authentication server does not authorize a VLAN, the device
remaps the MAC address of the user to the initial PVID on the port.
AAA."
The device assigns the authorization VLAN of the user to the port
as the PVID, and it removes the port from the Auth-Fail VLAN.
After the user logs off, the guest VLAN is assigned to the port as
the PVID. If no guest VLAN is configured, the initial PVID of the
port is restored.
If the authentication server does not authorize a VLAN, the initial
PVID of the port applies. The user and all subsequent 802.1X
users are assigned to the initial PVID. After the user logs off, the
PVID remains unchanged.
80
Advertisement
Table of Contents
Troubleshooting
