H3C S3100 Series Operation Manual page 460

In PGV or PAFV mode, when a user fails MAC authentication on a port, the device adds the port to the
guest VLAN or Auth-Fail VLAN. Therefore, the guest VLAN can separate unauthenticated users on an
access port. When it comes to a trunk port or a hybrid port, if a packet itself carries a VLAN tag and the
VLAN is allowed on the port, the port will forward the packet according to the VLAN tag, regardless of
the guest VLAN or Auth-Fail VLAN. That is, packets can be forwarded to the VLANs other than the
guest VLAN or Auth-Fail VLAN through the Trunk or Hybrid port, even if users fail to pass
authentication.
Table 1-3 Configure a guest VLAN or Auth-Fail VLAN
Operation
Enter system view
Enter Ethernet port view
Configure the guest VLAN for
MAC authentication
Configure the Auth-Fail VLAN
for MAC authentication
Return to system view
Configure the interval at which
the switch re-authenticates
users in guest VLANs
Command
system-view
interface interface-type
interface-number
mac-authentication
guest-vlan vlan-id
mac-authentication auth-fail
vlan authfail-vlan-id
quit
mac-authentication timer
guest-vlan-reauth interval
1-5
Description
—
—
Required
Not configured by default.
Optional
Not configured by default.
—
Optional
By default, the switch
re-authenticates the users in
guest VLANs at the interval of
30 seconds by default.