Auth-fail vlan – H3C Technologies H3C S3100 Series Switches User Manual

1-11

If a user of a port in the guest VLAN initiates authentication but fails the authentication, the port will be

added to the Auth-Fail VLAN configured for the port, if any. If no Auth-Fail VLAN is configured, the port

will stay in the guest VLAN.

If a user of a port in the guest VLAN initiates authentication and passes authentication successfully, the

port leaves the guest VLAN, and:

z

If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user goes

offline, the port returns to its initial VLAN, that is, the VLAN the port was in before it joined the guest

VLAN.

z

If the authentication server assigns no VLAN, the port returns to its initial VLAN. After the client

goes offline, the port still stays in its initial VLAN.

2) MGV

For MGV to take effect on a port, you must also enable the MAC VLAN function on the port. With both

MGV and MAC VLAN configured on a port, the device will bind the MAC addresses of unauthenticated

users with the guest VLAN of the port, allowing the unauthenticated users to access resources in the

guest VLAN.

If a user of a port in the guest VLAN initiates authentication process but fails the authentication, the

device will add the user to the Auth-Fail VLAN of the port configured for the port, if any. If no Auth-Fail

VLAN is configured, the device will keep the user in the guest VLAN.

If a user of a port in the guest VLAN initiates authentication and passes the authentication, the device

will add the user to the assigned VLAN or return the user to the initial VLAN of the port, depending on

whether the authentication server assigns a VLAN.

At present, among the S3100 series Ethernet switches, only the S3100-EI series supports the MAC

VLAN function. Thus, the S3100-EI series supports both PGV and MGV, while the S3100-SI series

supports only PGV.

Auth-Fail VLAN

The Auth-Fail VLAN feature allows users failing authentication to access a specified VLAN, which is

called the Auth-Fail VLAN. Note that failing authentication means being denied by the authentication

server due to reasons such as wrong password. Authentication failures caused by authentication

timeout or network connection problems do not fall into this category.

Similar to a guest VLAN, an Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or a

MAC-based Auth-Fail VLAN (MAFV), depending on the VLAN assignment mode.

1) PAFV

With PAFV configured on a port, if a user on the port fails authentication, the port will be added to the

Auth-Fail VLAN and all users accessing the port will be authorized to access the resources in the

Auth-Fail VLAN.

If a user of a port in the Auth-Fail VLAN initiates authentication but fails the authentication, the port stays

in the Auth-Fail VLAN. If the user passes the authentication successfully, the port leaves the Auth-Fail

VLAN, and: