329
Guest VLAN
You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X
authentication or have failed 802.1X authentication, so they can access a limited set of network resources,
such as a software server, to download anti-virus software and system patches. After a user in the guest
VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network
resources.
The device supports guest VLAN on a port that performs port-based access control. The following table
describes the way how the device handles VLANs on such port.
Authentication status
VLAN manipulation
No 802.1X user has performed
authentication within 90 seconds after
802.1X is enabled or the 802.1X user has
failed 802.1X authentication
Assigns the 802.1X guest VLAN to the port as the default
VLAN. All 802.1X users on this port can access only resources
in the guest VLAN.
If no 802.1X guest VLAN is configured, the access device does
not perform any VLAN operation.
A user in the 802.1X guest VLAN fails
802.1X authentication
The default VLAN on the port is still the 802.1X guest VLAN. All
users on the port are in the guest VLAN.
A user in the 802.1X guest VLAN passes
802.1X authentication
Assigns the VLAN specified for the user to the port as the
default VLAN, and removes the port from the 802.1X guest
VLAN. After the user logs off, the user configured default
VLAN restores.
If the authentication server assigns no VLAN, the user
configured default VLAN applies. The user and all
subsequent 802.1X users are assigned to the
user-configured default VLAN. After the user logs off, the
default VLAN remains unchanged.
NOTE:
The device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
ACL assignment
You can specify an ACL for an 802.1X user to control its access to network resources. After the user passes
802.1X authentication, the authentication server, either the local access device or a RADIUS server, assigns
the ACL to the port to filter the traffic from this user. In either case, you must configure the ACL on the access
device. You can change ACL rules while the user is online.
Configuring 802.1X
Configuration prerequisites
Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.
If RADIUS authentication is used, create user accounts on the RADIUS server.
If local authentication is used, create local user accounts on the access device and set the service type
to
lan-access
.
For how to configure RADIUS client and local EAP authentication, see the chapter “AAA
configuration”.
Содержание V1910
Страница 1: ...1 HP V1910 Switch Series User Guide 5998 2238 Part number 5998 2238 Document version 2 ...
Страница 85: ...73 c Display the rate settings of ports ...
Страница 102: ...90 a Port traffic statistics ...
Страница 186: ...174 a The MAC tab Click Add in the bottom to enter the page as shown in b b Create a MAC address entry ...
Страница 252: ...240 b The Port Setup tab ...
Страница 260: ...248 d The Port Setup tab ...
Страница 362: ...350 a Ping operation summary ...
Страница 421: ...409 c Configure authorized IP ...
Страница 479: ...467 Index A B C D E F G H I L M O P Q R S T V W ...