R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

100

Authentication status VLAN mani

ulation

A user passes 802.1X

authentication.

• The device assigns the authorization VLAN of the user to the port as the

PVID, and it removes the port from the Auth-Fail VLAN. After the user

logs off, the guest VLAN is assigned to the port as the PVID. If no guest

VLAN is configured, the initial PVID of the port is restored.

• If the authentication server does not authorize a VLAN, the initial PVID

of the port applies. The user and all subsequent 802.1X users are

assigned to the initial PVID. After the user logs off, the guest VLAN is

assigned to the port as the PVID. If no guest VLAN is configured, the

PVID remains unchanged.

Critical VLAN

Only ports that perform port-based access control support the critical VLAN.

The 802.1X critical VLAN on a port accommodates 802.1X users who have failed authentication

because none of the RADIUS servers in their ISP domain is reachable. Users in the critical VLAN can

access a limited set of network resources depending on your configuration. When a reachable RADIUS

server is detected, the device removes the port from the critical VLAN. The port sends a multicast Identity

EAP/Request to all 802.1X users on the port to trigger authentication.

The critical VLAN function takes effect when 802.1X authentication is performed only through RADIUS

servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned

to the critical VLAN. For more information about RADIUS configuration, see "Configuring AAA."

The following table describes how the access device handles VLANs on an 802.1X-enabled port:

Authentication status VLAN manipulation

A user that has not been assigned to any

VLAN fails 802.1X authentication because

all the RADIUS servers are unreachable.

The device assigns the critical VLAN to the port as the PVID. The

802.1X user and all subsequent 802.1X users on this port can

access only resources in the 802.1X critical VLAN.

A user in the 802.1X critical VLAN fails

authentication because all the RADIUS

servers are unreachable.

The critical VLAN is still the PVID of the port, and all 802.1X

users on this port are in this VLAN.

A user in the 802.1X critical VLAN fails

authentication for any other reasons except

for unreachable servers.

If an 802.1X Auth-Fail VLAN has been configured, the PVID of

the port changes to the Auth-Fail VLAN ID, and all 802.1X

users on this port are moved to the Auth-Fail VLAN.

A user in the 802.1X critical VLAN passes

802.1X authentication.

• The device assigns the authorization VLAN of the user to the

port as the PVID, and it removes the port from the 802.1X

critical VLAN. After the user logs off, the guest VLAN ID

changes to the PVID. If no 802.1X guest VLAN is configured,

the initial PVID of the port is restored.

• If the authentication server (either the local access device or

a RADIUS server) does not authorize a VLAN, the initial

PVID of the port applies. The user and all subsequent

802.1X users are assigned to this port VLAN. After the user

logs off, the guest VLAN ID changes to the PVID. If no

802.1X guest VLAN is configured, the PVID remains

unchanged.