Guest vlan, Auth-fail vlan – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

114

Access control

VLAN manipulation

IMPORTANT:

•

With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the

assignment, do not re-configure the port as a tagged member in the VLAN.

•

On a periodic online user re-authentication enabled port, if a user has been online before you enable the

MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless

the user passes re-authentication and the VLAN for the user has changed.

•

For more information about VLAN configuration and MAC-based VLAN, see Layer 2 Configuration Guide.

Guest VLAN

You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X

authentication, so they can access a limited set of network resources, such as a software server, to

download anti-virus software and system patches. After a user in the guest VLAN passes 802.1X

authentication, it is removed from the guest VLAN and can access authorized network resources.
The WX access controllers support guest VLAN only on ports that perform MAC-based access control.
The following describes the way that a WX access controller handles VLANs on the port that performs

MAC-based access control.

Authentication status

VLAN manipulation

A user has not passed 802.1X
authentication yet

Creates a mapping between the MAC address of the user and the 802.1X
guest VLAN. The user can access resources in the guest VLAN.

A user in the 802.1X guest
VLAN fails 802.1X

authentication

If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the
user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail
VLAN.
If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X guest
VLAN.

A user in the 802.1X guest
VLAN passes 802.1X
authentication

Re-maps the MAC address of the user to the VLAN specified for the user.
If the authentication server assigns no VLAN, re-maps the MAC address of the
user to the initial default VLAN on the port.

NOTE:
•

To use the 802.1X guest VLAN function on a port that performs MAC-based access control, make sure
that the port is a hybrid port, and enable MAC-based VLAN on the port.

•

The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.

•

For more information about VLAN configuration and MAC-based VLAN, see

Layer 2 Configuration

Guide.

Auth-Fail VLAN

You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication
because of the failure to comply with the organization security strategy, such as using a wrong password.

Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to

download anti-virus software and system patches.
The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for
authentication timeouts or network connection problems.