R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

100

The 802.1X guest VLAN on a port accommodates users who have not performed 802.1X authentication.

Users in the guest VLAN can access a limited set of network resources, such as a software server, to

download antivirus software and system patches. Once a user in the guest VLAN passes 802.1X

authentication, it is removed from the guest VLAN and can access authorized network resources.

The following table describes how the access device handles VLANs on an 802.1X-enabled port:

Authentication status VLAN mani

ulation

A user has not passed 802.1X

authentication and is in the

authentication process.

The device assigns the 802.1X guest VLAN to the port as the PVID. All

802.1X users on this port can access only resources in the guest VLAN.

If no 802.1X guest VLAN is configured, the access device does not perform

any VLAN operation.

A user in the 802.1X guest

VLAN fails 802.1X

authentication.

If an 802.1X Auth-Fail VLAN (see "Auth-Fail VLAN") i

s available, the device

assigns the Auth-Fail VLAN to the port as the PVID. All users on this port can

access only resources in the Auth-Fail VLAN.

If no Auth-Fail VLAN is configured, the PVID on the port is still the 802.1X

guest VLAN. All users on the port are in the guest VLAN.

A user in the 802.1X guest

VLAN passes 802.1X

authentication.

• The device assigns the authorization VLAN of the user to the port as the

PVID, and it removes the port from the 802.1X guest VLAN. After the user

logs off, the port is assigned back to the guest VLAN.

• If the authentication server does not authorize a VLAN, the initial PVID

applies. The user and all subsequent 802.1X users are assigned to the

initial port VLAN. After the user logs off, the port is assigned back to the

guest VLAN.

NOTE:

The initial PVID of an 802.1X-enabled port refers to the PVID used by the port

before the port is assigned to any 802.1X VLANs.

Auth-Fail VLAN

Only ports that perform port-based access control support the Auth-Fail VLAN.

The 802.1X Auth-Fail VLAN on a port accommodates users who have failed 802.1X authentication

because of the failure to comply with the organization security strategy, such as using a wrong password.

Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to

download antivirus software and system patches.

The Auth-Fail VLAN does not accommodate 802.1X users who have failed authentication for

authentication timeouts or network connection problems.

The following table describes how the access device handles VLANs on an 802.1X-enabled port:

Authentication status VLAN mani

ulation

A user fails 802.1X

authentication.

The device assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X

users on this port can access only resources in the Auth-Fail VLAN.

A user in the 802.1X Auth-Fail

VLAN fails 802.1X

reauthentication

The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users on this

port are in this VLAN.