H3C LS-3100-52P-OVS-H3 Operation Manual page 1356

The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned
VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after
a user passes authentication. After the user goes offline, the port returns to the initial VLAN of the port.
For details about VLAN configuration, refer to VLAN Configuration in the Access Volume.
With a Hybrid port, the VLAN assignment will fail if you have configured the assigned VLAN to carry
tags.
With a Hybrid port, you cannot configure an assigned VLAN to carry tags after the VLAN has been
assigned.
Guest VLAN
Guest VLAN allows unauthenticated users and users failing the authentication to access a specified
VLAN, where the users can, for example, download or upgrade the client software, or execute some
user upgrade programs. This VLAN is called the guest VLAN.
Currently, on the S5500-EI series Ethernet switches, a guest VLAN can be only a port-based guest
VLAN (PGV), which is supported on a port that uses the access control method of portbased.
With PGV configured on a port, if no users are successfully authenticated on the port in a certain period
of time (90 seconds by default), the port will be added to the guest VLAN and all users accessing the
port will be authorized to access the resources in the guest VLAN.
The device adds a PGV-configured port into the guest VLAN according to the port's link type in the
similar way as described in VLAN assignment. When a user of a port in the guest VLAN initiates an
authentication, if the authentication is not successful, the port stays in the guest VLAN; if the
authentication is successful, the port leaves the guest VLAN, and:
If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user goes
offline, the port returns to its initial VLAN, that is, the VLAN specified for it during port configuration,
or, in other words, the VLAN it was in before it joined the guest VLAN.
If the authentication server does not assign any VLAN, the port returns to its initial VLAN. After the
client goes offline, the port just stays in its initial VLAN.
ACL assignment
ACLs provide a way of controlling access to network resources and defining access rights. When a user
logs in through a port, and the RADIUS server is configured with authorization ACLs, the device will
permit or deny data flows traversing through the port according to the authorization ACLs. Before
specifying authorization ACLs on the server, you need to configure the ACL rules on the device. You
can change the access rights of users by modifying authorization ACL settings on the RADIUS server or
changing the corresponding ACL rules on the device.
Mandatory authentication domain for a specified port
The mandatory authentication domain function provides a security control mechanism for 802.1x
access. With a mandatory authentication domain specified for a port, the system uses the mandatory
1-11