H3C S5600 Series Operation Manual page 199
Hide thumbs
Also See for S5600 Series:
- Operation manual (1278 pages) ,
- Configuration (313 pages) ,
- Operation manual (11 pages)
Table of Contents
Advertisement
A port in macAddressOrUserLoginSecure mode supports guest VLAN configurations.
The port can connect multiple users; but services only one user at a time.
1) When the first user of the port initiates 802.1X or MAC authentication:
If the user fails the authentication, the port is added to the guest VLAN, and all the
other users of the port are authorized to access the guest VLAN.
If the user passes the authentication, authentication requests from other users are not
handled because only one user is allowed to pass authentication using the port. The
other users will fail the authentication, but the port will not be added to the guest VLAN.
2) After the port is added to the guest VLAN:
The users of the port can initiate 802.1X authentication. If a user passes authentication,
the port leaves the guest VLAN and is added to the original VLAN, that is, the one the
port belongs to before it is added to the guest VLAN). The port then does not handle
other users' authentication requests.
MAC authentication is also allowed. However, MAC authentication in this case cannot
be triggered by user requests; the switch will use the first MAC address learned in the
guest VLAN to initiate MAC authentication at a certain interval. If the authentication
succeeds, the port leaves the guest VLAN.
Follow
these
macAddressOrUserLoginSecure mode:
To do...
Enter system view
Set the interval at which the switch
triggers MAC authentication after a
port is added to the guest VLAN
Enter Ethernet port view
Set the security mode to
macAddressOrUserLoginSecure
Specify a VLAN as the guest VLAN
of the port
Note that:
Only an existing VLAN can be specified as a guest VLAN. Make sure the guest VLAN
of a port contain the resources that the users need.
If one user of the port has passed or is undergoing authentication, you cannot specify
a guest VLAN for it.
When a user using a port with a guest VLAN specified fail the authentication, the port
is added to the guest VLAN and users of the port can access only the resources in the
guest VLAN.
Multiple users may connect to one port in the macAddressOrUserLoginSecure mode
for authentication; however, after a guest VLAN is specified for the port, only one user
can pass the security authentication. In this case, the authentication client software of
the other 802.1X users displays messages about the failure; MAC authentication does
not have any client software and therefore no such messages will be displayed.
steps
to
configure
system-view
port-security timer
guest-vlan-reauth interval
interface interface-type
interface-number
port-security port-mode
userlogin-secure-or-mac
port-security guest-vlan vlan-id
a
guest
Use the command...
1-14
VLAN
for
a
Remarks
—
Optional
—
Required
Required
port
in
- Quick Links:
- Audience
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
