Failed authentication vlan, Limitations on allowed feature combinations, Failed – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Authentication Introduction and Configuration

Software Reference for x310 Series Switches

C613-50046-01 REV A

AlliedWare Plus

TM

Operating System - Version 5.4.4C

42.29

Failed Authentication VLAN

The auth-fail VLAN feature allows the network administrator to separate the supplicants
who attempted authentication, but failed, from the supplicants who did not attempt
authentication.

This feature enables the network administrator to enact a security policy in which the
supplicants who fail authentication are given extremely limited access, or are given access
to remedial applications.

If the Guest VLAN and auth-fail VLAN are both configured on a switch, then a newly
connected supplicant initially belongs to the Guest VLAN. If newly connected supplicants
attempt 802.1X port authentication or Web-authentication and fail, then they are moved
from the Guest VLAN to the auth-fail VLAN.

The criteria for how many failed authentication attempts are allowed before the
supplicant is moved to the auth-fail VLAN differs, depending on the authentication
method used.

If Web-authentication is used, then the supplicant is moved to the auth-fail VLAN after the
first failed attempt. If 802.1X port authentication is used, then the supplicant is moved to
the auth-fail VLAN after the number of failed attempts is equal to the value configured by
the dot1x max-auth-fail command (by default, three failed 802.1X authentication
attempts are allowed).

The MAC-authentication feature does not support the max-auth-fail option. If auth-fail
VLAN feature is used in conjunction with MAC-authentication only one attempt is allowed
for a MAC-authentication supplicant. If the attempt fails, then the supplicant will be
treated as “Authenticated” and the interface will be added to the configured auth-fail
VLAN.

Limitations on Allowed Feature Combinations

Note that the Web-authentication feature cannot be used with the Guest VLAN or auth-fail
VLAN features. For further limitation information see the below tables:

Table 42-2: Interoperation of authentication types with Guest VLAN and auth-fail
VLAN

Authenticatio
n Type:

Guest VLAN
(without routing mode)

Guest VLAN
(with routing mode)

Failed Authentication VLAN

802.1X-
authentication

Layer 2 forward packets
destined to other
addresses within the Guest
VLAN.

Unauthorized supplicant can
access Guest VLAN. Use ACL
for security on the interface.

Failed authentication
supplicant can access auth-fail
VLAN. See limitations table
below for ACL usage limitation.

MAC-
authentication

Layer 2 forward packets
destined to other
addresses within the Guest
VLAN.

Unauthorized supplicant can
access Guest VLAN. Use ACL
for security on the interface.

Failed authentication
supplicant can access auth-fail
VLAN. See limitations table
below for ACL usage limitation.

Web-
authentication
(without
intercept mode)

Layer 2 forward packets
destined to other
addresses within the Guest
VLAN.

Unauthorized supplicant can
access Guest VLAN. Use ACL
for security on the interface.

Failed authentication
supplicant can access auth-fail
VLAN. See limitations table
below for ACL usage limitation.

Web-
authentication
(with intercept
mode)

(Not Available)

(Not Available)

(Not Available)