R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

101

102

103

104

105

106

107

108

109

110

Authentication status VLAN mani

ulation

A user passes 802.1X

authentication

• Assigns the VLAN specified for the user to the port as the PVID, and

removes the port from the Auth-Fail VLAN. After the user logs off, the

user-configured PVID restores.

• If the authentication server assigns no VLAN, the initial PVID applies. The

user and all subsequent 802.1X users are assigned to the user-configured

PVID. After the user logs off, the PVID remains unchanged.

The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.

For more information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.

Critical VLAN

Critical VLAN is not supported on ports that perform MAC-based access control.

Configure an 802.1X critical VLAN on a port to accommodate 802.1X users that fail authentication

because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users in the

critical VLAN can access a limit set of network resources depending on your configuration.

The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS

servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned

to the critical VLAN. For more information about RADIUS configuration, see "Configuring AAA."

The following describes the way that the network access device handles VLANs on the port that performs

port-based access control.

Authentication status VLAN manipulation

A user that has not been assigned to any

VLAN fails 802.1X authentication because

all the RADIUS servers are unreachable.

Assigns the critical VLAN to the port as the PVID. The 802.1X

user and all subsequent 802.1X users on this port can access

only resources in the critical VLAN.

A user in the 802.1X critical VLAN fails

authentication because all the RADIUS

servers are unreachable.

The critical VLAN is still the PVID of the port, and all 802.1X

users on this port are in this VLAN.

A user in the 802.1X critical VLAN fails

authentication for any other reason than

server unreachable.

If an Auth-Fail VLAN has been configured, the PVID of the port

changes to Auth-Fail VLAN ID, and all 802.1X users on this port

are moved to the Auth-Fail VLAN.

A user in the critical VLAN passes 802.1X

authentication.

• Assigns the VLAN specified for the user to the port as the

PVID, and removes the port from the critical VLAN. After the

user logs off, the default or user-configured PVID restores.

• If the authentication server assigns no VLAN, the default or

user-configured PVID applies. The user and all subsequent

802.1X users are assigned to this port VLAN. After the user

logs off, this PVID remains unchanged.

A user in the 802.1X guest VLAN or the

Auth-Fail VLAN fails authentication because

all the RADIUS servers is reachable.

The PVID of the port remains unchanged. All 802.1X users on

this port can access only resources in the guest VLAN or the

Auth-Fail VLAN.

The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member.