R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

100

The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X

access control mode.

• On a port that performs port-based access control

Authentication status VLAN manipulation

A user that has not been assigned to any

VLAN fails 802.1X authentication because

all the RADIUS servers are unreachable.

Assigns the critical VLAN to the port as the PVID. The 802.1X

user and all subsequent 802.1X users on this port can access

only resources in the critical VLAN.

A user in the 802.1X critical VLAN fails

authentication because all the RADIUS

servers are unreachable.

The critical VLAN is still the PVID of the port, and all 802.1X

users on this port are in this VLAN.

A user in the 802.1X critical VLAN fails

authentication for any other reason than

server unreachable.

If an Auth-Fail VLAN has been configured, the PVID of the port

changes to Auth-Fail VLAN ID, and all 802.1X users on this port

are moved to the Auth-Fail VLAN.

A user in the critical VLAN passes 802.1X

authentication.

• Assigns the VLAN specified for the user to the port as the

PVID, and removes the port from the critical VLAN. After the

user logs off, the default or user-configured PVID restores.

• If the authentication server assigns no VLAN, the default or

user-configured PVID applies. The user and all subsequent

802.1X users are assigned to this port VLAN. After the user

logs off, this PVID remains unchanged.

A user in the 802.1X guest VLAN or the

Auth-Fail VLAN fails authentication because

all the RADIUS servers is reachable.

The PVID of the port remains unchanged. All 802.1X users on

this port can access only resources in the guest VLAN or the

Auth-Fail VLAN.

• On a port that performs MAC-based access control

Authentication status VLAN manipulation

A user that has not been assigned to any VLAN

fails 802.1X authentication because all the

RADIUS servers are unreachable.

Maps the MAC address of the user to the critical VLAN. The

user can access only resources in the critical VLAN.

A user in the 802.1X critical VLAN fails

authentication because all the RADIUS servers

are unreachable.

The user is still in the critical VLAN.

A user in the critical VLAN fails 802.1X

authentication for any other reason than server

unreachable.

If an Auth-Fail VLAN has been configured, re-maps the

MAC address of the user to the Auth-Fail VLAN ID.

A user in the critical VLAN passes 802.1X

authentication.

Re-maps the MAC address of the user to the server-assigned

VLAN.

If the authentication server assigns no VLAN, re-maps the

MAC address of the user to the default or user-configured

PVID on the port.