1-12
If a user of a port in the guest VLAN initiates authentication process but fails the authentication, the
device will add the user to the Auth-Fail VLAN of the port configured for the port, if any. If no Auth-Fail
VLAN is configured, the device will keep the user in the guest VLAN.
If a user of a port in the guest VLAN initiates authentication and passes the authentication, the device
will add the user to the assigned VLAN or return the user to the initial VLAN of the port, depending on
whether the authentication server assigns a VLAN.
Auth-Fail VLAN
The Auth-Fail VLAN feature allows users failing authentication to access a specified VLAN, which is
called the Auth-Fail VLAN. Note that failing authentication means being denied by the authentication
server due to reasons such as wrong password. Authentication failures caused by authentication
timeout or network connection problems do not fall into this category.
Similar to a guest VLAN, an Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or a
MAC-based Auth-Fail VLAN (MAFV), depending on the port access control method.
1) PAFV
PAFV refers to the Auth-Fail VLAN configured on a port that uses the port-based access control method.
With PAFV configured on a port, if a user on the port fails authentication, the port will be added to the
Auth-Fail VLAN and all users accessing the port will be authorized to access the resources in the
Auth-Fail VLAN. The device adds a PAFV-configured port into the Auth-Fail VLAN according to the
port’s link type in the similar way as described in
VLAN assignment
.
If a user of a port in the Auth-Fail VLAN initiates authentication but fails the authentication, the port stays
in the Auth-Fail VLAN. If the user passes the authentication successfully, the port leaves the Auth-Fail
VLAN, and:
z
If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user goes
offline, the port returns to its initial VLAN, that is, the VLAN the port was in before it was added to
any authorized VLAN.
z
If the authentication server assigns no VLAN, the port returns to its initial VLAN. After the client
goes offline, the port still stays in its initial VLAN.
2) MAFV
MAFV refers to the Auth-Fail VLAN configured on a port that uses the MAC-based access control
method. With MAFV configured on a port, if a user on the port fails authentication, the user will be
authorized to access the resources in the Auth-Fail VLAN. If the user initiates authentication again and
passes the authentication, the device will add the user to the assigned VLAN or return the user to the
initial VLAN of the port, depending on whether the authentication server assigns a VLAN.
ACL assignment
ACLs provide a way of controlling access to network resources and defining access rights. When a user
logs in through a port, and the RADIUS server is configured with authorization ACLs, the device will
permit or deny data flows traversing through the port according to the authorization ACLs. Before
specifying authorization ACLs on the server, you need to configure the ACL rules on the device. You
can change the access rights of users by modifying authorization ACL settings on the RADIUS server or
changing the corresponding ACL rules on the device.
Mandatory authentication domain for a specified port
The mandatory authentication domain function provides a security control mechanism for 802.1X
access. With a mandatory authentication domain specified for a port, the system uses the mandatory
Содержание S7902E
Страница 82: ...1 4 DeviceA interface tunnel 1 DeviceA Tunnel1 service loopback group 1 ...
Страница 200: ...1 11 DeviceB display vlan dynamic No dynamic vlans exist ...
Страница 494: ...ii Displaying and Maintaining Tunneling Configuration 1 45 Troubleshooting Tunneling Configuration 1 45 ...
Страница 598: ...ii ...
Страница 1757: ...4 9 ...
Страница 1770: ...6 4 ...
Страница 2017: ...2 11 Figure 2 3 SFTP client interface ...
Страница 2062: ...i Table of Contents 1 URPF Configuration 1 1 URPF Overview 1 1 What is URPF 1 1 How URPF Works 1 1 Configuring URPF 1 2 ...
Страница 2238: ...1 16 DeviceA cfd linktrace service instance 1 mep 1001 target mep 4002 ...
Страница 2442: ...2 4 Set the interval for sending Syslog or trap messages to 20 seconds Device mac address information interval 20 ...