Auth-Fail Vlan - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
Authentication status
A user in the 802.1X guest
VLAN passes 802.1X
authentication.
•
On a port that performs MAC-based access control:
Authentication
status
A user has not passed
802.1X authentication.
A user in the 802.1X
guest VLAN fails 802.1X
authentication.
A user in the 802.1X
guest VLAN passes
802.1X authentication.
For the 802.1X guest VLAN feature to take effect on a port that performs MAC-based access
control, make sure the following requirements are met:
The port is a hybrid port.
MAC-based VLAN is enabled on the port.
The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN
Switching Configuration Guide.
Auth-Fail VLAN
The 802.1X Auth-Fail VLAN on a port accommodates users who have failed 802.1X authentication
because of the failure to comply with the organization security strategy. For example, the VLAN
accommodates users who have entered a wrong password. Users in the Auth-Fail VLAN can access
a limited set of network resources, such as a software server, to download antivirus software and
system patches.
The Auth-Fail VLAN does not accommodate 802.1X users who have failed authentication for
authentication timeouts or network connection problems.
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
•
On a port that performs port-based access control:
VLAN manipulation
•
The device assigns the authorization VLAN of the user to the port
as the PVID, and it removes the port from the 802.1X guest VLAN.
After the user logs off, the initial PVID of the port is restored.
•
If the authentication server does not authorize a VLAN, the initial
PVID applies. The user and all subsequent 802.1X users are
assigned to the initial port VLAN. After the user logs off, the port
VLAN remains unchanged.
NOTE:
The initial PVID of an 802.1X-enabled port refers to the PVID used by
the port before the port is assigned to any 802.1X VLANs.
VLAN manipulation
The device creates a mapping between the MAC address of the user and
the 802.1X guest VLAN. The user can access only resources in the guest
VLAN.
If an 802.1X Auth-Fail VLAN is available, the device remaps the MAC
address of the user to the Auth-Fail VLAN. The user can access only
resources in the Auth-Fail VLAN.
If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X
guest VLAN.
The device remaps the MAC address of the user to the authorization
VLAN.
If the authentication server does not authorize a VLAN, the device remaps
the MAC address of the user to the initial PVID on the port.
79
Advertisement
Table of Contents
Troubleshooting
