R0106-HP MSR Router Series Security Configuration Guide(V7)
81
Authentication status VLAN manipulation
A user in the 802.1X guest VLAN fails
authentication because all the RADIUS
servers are unreachable.
The device assigns the 802.1X critical VLAN to the port as the
PVID, and all 802.1X users on this port are in this VLAN.
A user in the 802.1X Auth-Fail VLAN fails
authentication because all the RADIUS
servers are unreachable.
The PVID of the port remains unchanged. All 802.1X users on
this port can access only resources in the 802.1X Auth-Fail
VLAN.
A user who has passed authentication fails
reauthentication because all the RADIUS
servers are unreachable, and the user is
logged out of the device.
The device assigns the 802.1X critical VLAN to the port as the
PVID.
Using 802.1X authentication with SmartOn
The SmartOn feature was developed to support the NEC 802.1X client.
As shown in Figure 32, the acces
s device performs SmartOn authentication before 802.1X authentication
as follows:
1. When a SmartOn-enabled port receives an EAPOL-Start packet from an 802.1X client, it sends a
unicast EAP-Request/Notification packet to the client for SmartOn authentication.
2. Upon receiving an EAP-Response/Notification from the client, the device compares the switch ID
and password in the packet with the switch ID and password configured on the device.
{ If they are the same, 802.1X authentication can continue.
{ If they do not match, SmartOn authentication fails. The access device stops 802.1X
authentication for the client.
Figure 32 802.1X authentication process with the SmartOn feature
If the user attempts to use another 802.1X client for authentication, it will fail SmartOn authentication. The
access device stops 802.1X authentication for the user.