74
Authentication status
VLAN manipulation
A user in the 802.1X guest
VLAN fails 802.1X
authentication.
If an 802.1X Auth-Fail VLAN (see "
") is available, the
device assigns the Auth-Fail VLAN to the port as the PVID. All users on this
port can access only resources in the Auth-Fail VLAN.
If no Auth-Fail VLAN is configured, the PVID on the port is still the 802.1X
guest VLAN. All users on the port are in the guest VLAN.
A user in the 802.1X guest
VLAN passes 802.1X
authentication.
•
The device assigns the authorization VLAN of the user to the port as
the PVID, and it removes the port from the 802.1X guest VLAN. After
the user logs off, the initial PVID of the port is restored.
•
If the authentication server does not authorize a VLAN, the initial PVID
applies. The user and all subsequent 802.1X users are assigned to the
initial port VLAN. After the user logs off, the port VLAN remains
unchanged.
NOTE:
The initial PVID of an 802.1X-enabled port refers to the PVID used by the
port before the port is assigned to any 802.1X VLANs.
•
On a port that performs MAC-based access control:
Authentication status
VLAN manipulation
A user has not passed
802.1X authentication.
The device creates a mapping between the MAC address of the user and the
802.1X guest VLAN. The user can access only resources in the guest VLAN.
A user in the 802.1X guest
VLAN fails 802.1X
authentication.
If an 802.1X Auth-Fail VLAN is available, the device remaps the MAC
address of the user to the Auth-Fail VLAN. The user can access only
resources in the Auth-Fail VLAN.
If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X
guest VLAN.
A user in the 802.1X guest
VLAN passes 802.1X
authentication.
The device remaps the MAC address of the user to the authorization VLAN.
If the authentication server does not authorize a VLAN, the device remaps
the MAC address of the user to the initial PVID on the port.
For the 802.1X guest VLAN feature to take effect on a port that performs MAC-based access
control, make sure the following requirements are met:
{
The port is a hybrid port.
{
MAC-based VLAN is enabled on the port.
The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLANs, see
Layer 2—LAN
Switching Configuration Guide
.
Auth-Fail VLAN
The 802.1X Auth-Fail VLAN on a port accommodates users who have failed 802.1X authentication
because of the failure to comply with the organization security strategy. For example, the VLAN
accommodates users who have entered a wrong password. Users in the Auth-Fail VLAN can access a
limited set of network resources, such as a software server, to download antivirus software and system
patches.