77
Authentication status
VLAN manipulation
A user that has not been assigned to any
VLAN fails 802.1X authentication because all
the RADIUS servers are unreachable.
The device maps the MAC address of the user to the
802.1X critical VLAN. The user can access only
resources in the 802.1X critical VLAN.
A user in the 802.1X critical VLAN fails
authentication because all the RADIUS servers
are unreachable.
The user is still in the critical VLAN.
A user in the 802.1X critical VLAN fails
802.1X authentication for any other reasons
except for unreachable servers.
If an 802.1X Auth-Fail VLAN is configured, the device
remaps the MAC address of the user to the Auth-Fail
VLAN ID.
If no 802.1X Auth-Fail VLAN has been configured, the
device remaps the MAC address of the user to the initial
PVID.
A user in the 802.1X critical VLAN passes
802.1X authentication.
The device remaps the MAC address of the user to the
authorization VLAN.
If the authentication server (either the local access device
or a RADIUS server) does not authorize a VLAN to the
user, the device remaps the MAC address of the user to
the initial PVID on the port.
A user in the 802.1X guest VLAN fails
authentication because all the RADIUS servers
are unreachable.
The device remaps the MAC address of the user to the
802.1X critical VLAN. The user can access only
resources in the 802.1X critical VLAN.
A user in the 802.1X Auth-Fail VLAN fails
authentication because all the RADIUS servers
are unreachable.
The user remains in the 802.1X Auth-Fail VLAN.
For the 802.1X critical VLAN feature to take effect on a port that performs MAC-based access
control, make sure the following requirements are met:
{
The port is a hybrid port.
{
MAC-based VLAN is enabled on the port.
The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLANs, see
Layer 2—LAN
Switching Configuration Guide
.
When a reachable RADIUS server is detected, the device performs the following operations:
{
If MAC-based access control is used, the device removes 802.1X users from the critical VLAN.
The port sends unicast Identity EAP/Request packets to these users to trigger authentication.
{
If port-based access control is used, the device removes the port from the critical VLAN. The port
sends a multicast Identity EAP/Request to all 802.1X users on the port to trigger authentication.
Using 802.1X authentication with other features
ACL assignment
You can specify an ACL for an 802.1X user to control its access to network resources. After the user
passes 802.1X authentication, the authentication server assigns the ACL to the access port to filter traffic