73
For more information about VLAN configuration and MAC-based VLAN, see Layer 2
—
LAN Switching
Configuration Guide.
Auth-Fail VLAN
You can configure an Auth-Fail VLAN to accommodate users who have failed 802.1X authentication
because of the failure to comply with the organization security strategy, such as using a wrong
password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software
server, to download anti-virus software and system patches.
The Auth-Fail VLAN does not accommodate 802.1X users who have failed authentication for
authentication timeouts or network connection problems. The way that the network access device
handles VLANs on the port differs by 802.1X access control mode.
1. On a port that performs port-based access control:
Authentication status VLAN manipulation
A user fails 802.1X
authentication
Assigns the Auth-Fail VLAN to the port as the default VLAN. All 802.1X
users on this port can access only resources in the Auth-Fail VLAN.
A user in the Auth-Fail VLAN
fails 802.1X re-authentication
The Auth-Fail VLAN is still the default VLAN on the port, and all 802.1X
users on this port are in this VLAN.
A user passes 802.1X
authentication
• Assigns the VLAN specified for the user to the port as the default VLAN,
and removes the port from the Auth-Fail VLAN. After the user logs off,
the user-configured default VLAN is restored.
• If the authentication server assigns no VLAN, the initial default VLAN
applies. The user and all subsequent 802.1X users are assigned to the
user-configured default VLAN. After the user logs off, the default VLAN
remains unchanged.
2. On a port that performs MAC-based access control:
Authentication status VLAN manipulation
A user fails 802.1X
authentication
Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can
access only resources in the Auth-Fail VLAN.
A user in the Auth-Fail VLAN
fails 802.1X re-authentication
The user is still in the Auth-Fail VLAN.
A user in the Auth-Fail VLAN
passes 802.1X authentication
Re-maps the MAC address of the user to the server-assigned VLAN.
If the authentication server assigns no VLAN, re-maps the MAC address of
the user to the initial default VLAN on the port.
To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you
must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port.
The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLAN, see Layer 2
—
LAN Switching
Configuration Guide.
To Next Page
Loading...
Need help?
General