Auth-fail vlan – H3C Technologies H3C S7500E Series Switches User Manual

5-11

If a user of a port in the guest VLAN initiates authentication but fails the authentication, the port

will be added to the Auth-Fail VLAN configured for the port, if any. If no Auth-Fail VLAN is

configured, the port will stay in the guest VLAN. For more information about Auth-Fail VLAN,

see

Auth-Fail VLAN

.

If a user of a port in the guest VLAN initiates authentication and passes authentication

successfully, the port leaves the guest VLAN, and:

z

If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the

user logs off, the port returns to its initial VLAN, that is, the VLAN the port was in before it

joined the guest VLAN.

z

If the authentication server assigns no VLAN, the port returns to its initial VLAN. After the

client logs off, the port still stays in its initial VLAN.

2) MGV

MGV refers to the guest VLAN configured on a port that uses the MAC-based access control

method. With MGV configured on a port, unauthenticated users on the port are authorized to

access the resources in the guest VLAN.

If a user of a port in the guest VLAN initiates authentication process but fails the authentication,

the device will add the user to the Auth-Fail VLAN of the port configured for the port, if any. If no

Auth-Fail VLAN is configured, the device will keep the user in the guest VLAN.

If a user of a port in the guest VLAN initiates authentication and passes the authentication, the

device will add the user to the assigned VLAN or return the user to the initial VLAN of the port,

depending on whether the authentication server assigns a VLAN.

Auth-Fail VLAN

The Auth-Fail VLAN feature allows users failing authentication to access a specified VLAN,

which is called the Auth-Fail VLAN. Note that failing authentication means being denied by the

authentication server due to reasons such as wrong password. Authentication failures caused

by authentication timeout or network connection problems do not fall into this category.

Similar to a guest VLAN, an Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or a

MAC-based Auth-Fail VLAN (MAFV), depending on the port access control method.

1) PAFV

PAFV refers to the Auth-Fail VLAN configured on a port that uses the port-based access control

method. With PAFV configured on a port, if a user on the port fails authentication, the port will

be added to the Auth-Fail VLAN and all users accessing the port will be authorized to access

the resources in the Auth-Fail VLAN. The device adds a PAFV-configured port into the Auth-Fail

VLAN according to the port’s link type in the similar way as described in

VLAN assignment

.

If a user of a port in the Auth-Fail VLAN initiates authentication but fails the authentication, the

port stays in the Auth-Fail VLAN. If the user passes the authentication successfully, the port

leaves the Auth-Fail VLAN, and:

z

If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the

user logs off, the port returns to its initial VLAN, that is, the VLAN the port was in before it

was added to any authorized VLAN.

z

If the authentication server assigns no VLAN, the port returns to its initial VLAN. After the

client logs off, the port still stays in its initial VLAN.

2) MAFV