HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 88
Authentication status, VLAN manipulation, dot1x critical recovery-action reinitialize
View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 88 highlights
Authentication status VLAN manipulation A user in the 802.1X guest VLAN or the Auth-Fail VLAN fails authentication because all the RADIUS servers is reachable. The PVID of the port remains unchanged. All 802.1X users on this port can access only resources in the guest VLAN or the Auth-Fail VLAN. 2. On a port that performs MAC-based access control To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port. Authentication status A user that has not been assigned to any VLAN fails 802.1X authentication because all the RADIUS servers are unreachable. VLAN manipulation Maps the MAC address of the user to the critical VLAN. The user can access only resources in the critical VLAN. A user in the 802.1X critical VLAN fails authentication because all the RADIUS servers are unreachable. The user is still in the critical VLAN. A user in the critical VLAN fails 802.1X authentication for any other reason than server unreachable. A user in the critical VLAN passes 802.1X authentication. If an Auth-Fail VLAN has been configured, re-maps the MAC address of the user to the Auth-Fail VLAN ID. Re-maps the MAC address of the user to the server-assigned VLAN. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the default or user-configured PVID on the port. A user in the 802.1X guest VLAN or the Auth-Fail VLAN fails authentication because all the RADIUS server are unreachable. The user remains in the 802.1X VLAN or the Auth-Fail VLAN. NOTE: The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member. Any of the following RADIUS authentication server changes in the ISP domain for 802.1X users on a port can cause the users to be removed from the critical VLAN: • An authentication server is reconfigured, added, or removed. • The status of any RADIUS authentication server automatically changes to active or is administratively set to active. • The RADIUS server probing function detects that a RADIUS authentication server is reachable and sets its state to active. You can use the dot1x critical recovery-action reinitialize command to configure the port to trigger 802.1X re-authentication when the port or an 802.1X user on the port is removed from the critical VLAN. • If MAC-based access control is used, the port sends a unicast Identity EAP/Request to the 802.1X user to trigger authentication. 78