73
describes how the access device handles VLANs (except for the VLANs specified with suffixes)
on an 802.1X-enabled port.
Table 6
VLAN manipulation
Port access control method VLAN manipulation
Port-based
The device assigns the authorization VLAN to the port as the PVID. The
authenticated 802.1X user and all subsequent 802.1X users can access the
VLAN without authentication.
When the user logs off, the previous PVID is restored, and all other online users
are logged off.
MAC-based
•
If the port is a hybrid port enabled with MAC-based VLAN, the device maps
the MAC address of each user to the authorization VLAN. The PVID of the
port does not change. When a user logs off, the MAC-to-VLAN mapping for
the user is removed.
•
If the port is an access, trunk, or MAC-based VLAN-disabled hybrid port,
the device assigns the first authenticated user's authorization VLAN to the
port as the PVID. If a different VLAN is authorized to a subsequent user, the
user cannot pass the authentication. To ensure successful authentication of
subsequent users, authorize the same VLAN to all 802.1X users on these
ports.
A hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not
reconfigure the port as a tagged member in the VLAN.
On a port enabled with periodic online user reauthentication, the MAC-based VLAN feature does not
take effect on a user who has been online before this feature was enabled. The access device creates a
MAC-to-VLAN mapping for the user when the following requirements are met:
•
The user passes reauthentication.
•
The authorization VLAN for the user is changed.
For more information about VLAN configuration and MAC-based VLANs, see
Layer 2—LAN Switching
Configuration Guide
.
Guest VLAN
The 802.1X guest VLAN on a port accommodates users who have not performed 802.1X authentication.
Users in the guest VLAN can access a limited set of network resources, such as a software server, to
download antivirus software and system patches. Once a user in the guest VLAN passes 802.1X
authentication, it is removed from the guest VLAN and can access authorized network resources.
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
•
On a port that performs port-based access control:
Authentication status
VLAN manipulation
A user has not passed
802.1X authentication.
The device assigns the 802.1X guest VLAN to the port as the PVID. All
802.1X users on this port can access only resources in the guest VLAN.
If no 802.1X guest VLAN is configured, the access device does not
perform any VLAN operation.