The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned
VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after
a user passes authentication. After the user goes offline, the port returns to the initial VLAN of the port.
For details about VLAN configuration, refer to VLAN Configuration in the Access Volume.
With a Hybrid port, the VLAN assignment will fail if you have configured the assigned VLAN to carry
With a Hybrid port, you cannot configure an assigned VLAN to carry tags after the VLAN has been
When you enable the MAC VLAN function on a port, if there is one or more online 802.1X users on
the port, the MAC VLAN function takes effect only when the user passes re-authentication and the
server assigns a VLAN different from that assigned for the last authentication.
Guest VLAN allows unauthenticated users to access a specified VLAN, where the users can, for
example, download or upgrade the client software, or execute some user upgrade programs. This
VLAN is called the guest VLAN.
PGV refers to the guest VLAN configured on a port that uses the port-based access control method.
With PGV configured on a port, if no user initiates authentication on the port in a certain period of time
(90 seconds by default), the port will be added to the guest VLAN and all users accessing the port will
be authorized to access the resources in the guest VLAN. The device adds a PGV-configured port into
the guest VLAN according to the port's link type in the similar way as described in
If a user of a port in the guest VLAN initiates authentication and passes authentication successfully, the
port leaves the guest VLAN, and:
If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user goes
offline, the port returns to its initial VLAN, that is, the VLAN the port was in before it joined the guest
If the authentication server assigns no VLAN, the port returns to its initial VLAN. After the client
goes offline, the port still stays in its initial VLAN.
ACLs provide a way of controlling access to network resources and defining access rights. When a user
logs in through a port, and the RADIUS server is configured with authorization ACLs, the device will
permit or deny data flows traversing through the port according to the authorization ACLs. Before
specifying authorization ACLs on the server, you need to configure the ACL rules on the device. You
can change the access rights of users by modifying authorization ACL settings on the RADIUS server or
changing the corresponding ACL rules on the device.
Online User Handshake Function
The online user handshake function allows the device to send handshake messages to online users to
check whether the users are still online at the interval specified by the dot1x timer handshake-period
command. If the device does not receive any response from an online user after the device has sent the
handshake packet for the maximum number of times, which is set by the dot1x retry command, the
device will set the user state to offline.