H3C S7500E Series Ethernet Switches Operation Manual
Operation Manual – 802.1x - MAC Authentication
H3C S7500E Series Ethernet Switches Chapter 1 802.1x Configuration
1-12
Note:
z With a Hybrid port, the VLAN assigning will fail if you have configured the assigned
VLAN to carry tags.
z With a Hybrid port, you cannot configure an assigned VLAN to carry tags after the
VLAN has been assigned.
II. Guest VLAN
Guest VLAN allows unauthenticated users to access some special resources.
Guest VLAN is the default VLAN that a supplicant on a port can access without
authentication. After the supplicant passes 802.1x authentication, the port leaves the
guest VLAN and the supplicant can access other network resources.
A user of the guest VLAN can perform operations such as downloading and upgrading
the authentication client software. If a supplicant does not have the required
authentication client software or the version of the client software is lower, the
supplicant will fail the authentication. If no supplicant on a port passes authentication in
a certain period of time (45 seconds by default), the port will be added into the guest
VLAN.
If a device with 802.1x enabled and the guest VLAN correctly configured sends an
EAP-Request/Identity packet for the allowed maximum number of times but gets no
response, it adds the port into the guest VLAN according to port link type in the similar
way as described in VLAN assigning.
When a supplicant added into the guest VLAN initiates another authentication process,
if the authentication is not successful, the supplicant stays in the guest VLAN;
otherwise, two cases may occur:
z The authentication server assigns a VLAN: The port leaves the guest VLAN and
joins the assigned VLAN. If the supplicant goes offline, the port returns to its
original VLAN, that is, the VLAN to which it is configured to belong and it belongs
before joining the guest VLAN.
z The authentication server does not assign any VLAN: The port leaves the guest
VLAN and returns to its original VLAN. If the supplicant goes offline, the port just
stays in its original VLAN.
III. ACL assigning
ACLs provide a way of controlling access to network resources and restricting access
rights. When a user logs in, if the RADIUS server is configured with authorization ACLs,
the device will permit or deny data flows traversing through the port through which the
user accesses the device according to the authorization ACLs assigned by the
RADIUS server. You can change access rights of users by modifying authorization ACL
settings on the RADIUS server.