Configuring An Auth-Fail Vlan For Web Authentication; Configuration Prerequisites - H3C S3100 Series Operation Manual

Before enabling global Web authentication, you should first set the IP address of a Web
authentication server.
Do not add a Web authentication enabled port to a port aggregation group and do not enable Web
authentication on a port that is in a port aggregation group.
You can make Web authentication settings on individual ports before Web authentication is
enabled globally, but they will not take effect. The Web authentication settings on ports take effect
immediately once you enable Web authentication globally.
A Web authentication client and the switch with Web authentication enabled must be able to
communicate at the network layer so that the Web authentication page can be displayed on the
Web authentication client.
Web authentication is mutually exclusive with functions that depend on ACLs such as IP filtering,
ARP intrusion detection, QoS, and port binding.
After a user gets online in shared access method, if you configure an authentication-free user
whose IP address and MAC address are the same as those of the online user, the online user will
be forced to get offline.
You can use the web-authentication select method extended command to enable Web
authentication on a hybrid port.

Configuring an Auth-Fail VLAN for Web Authentication

In some cases, it is required to allow clients failing Web authentication to access network resources
such as the virus definitions upgrade server. You can configure a Web authentication Auth-Fail VLAN to
meet such requirements.
A Web authentication Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or MAC-based
Auth-Fail VLAN (MAFV), depending on the VLAN assignment mode:
PAFV
In this mode, if a user on a port fails Web authentication, the port will be added to the Auth-Fail VLAN,
allowing all users on the port to access resources in the Auth-Fail VLAN.
MAFV
MAFV on a port requires cooperation of the MAC VLAN function on the port. When a user on the port
fails Web authentication, the MAC address of the user will be bound with the Auth-Fail VLAN, and the
user can access only the resources in the Auth-Fail VLAN.

Configuration Prerequisites

Enable Web authentication globally.
Create the VLAN to be configured as the Auth-Fail VLAN.
Configure the port as a hybrid port.
Enable Web authentication on the port and set the Web authentication access method on the port
to extended.
1-3