Guest vlan, Auth-fail vlan – H3C Technologies H3C S5120 Series Switches User Manual

1-11

The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned

VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after

a user passes authentication. After the user logs off, the port returns to the initial VLAN of the port.

For details about VLAN configuration, refer to VLAN Configuration.

z

With a Hybrid port, the VLAN assignment will fail if you have configured the assigned VLAN to carry

tags.

z

With a Hybrid port, you cannot configure an assigned VLAN to carry tags after the VLAN has been

assigned.

Guest VLAN

Guest VLAN allows unauthenticated users to access a specified VLAN, where the users can, for

example, download or upgrade the client software, or execute some user upgrade programs. This

VLAN is called the guest VLAN.

Depending on the port access control method, a guest VLAN can be a port-based guest VLAN (PGV) or

a MAC-based guest VLAN (MGV).

Currently, on the switch, a guest VLAN can be only a port-based guest VLAN (PGV).

PGV refers to the guest VLAN configured on a port that uses the port-based access control method.

With PGV configured on a port, if no user initiates authentication on the port in a certain period of time

(90 seconds by default), the port will be added to the guest VLAN and all users accessing the port will

be authorized to access the resources in the guest VLAN. The device adds a PGV-configured port into

the guest VLAN according to the port’s link type in the similar way as described in

VLAN assignment

.

If a user of a port in the guest VLAN initiates authentication but fails the authentication, the port will be

added to the Auth-Fail VLAN configured for the port, if any. If no Auth-Fail VLAN is configured, the port

will stay in the guest VLAN. For details about Auth-Fail VLAN, refer to

Auth-Fail VLAN

.

If a user of a port in the guest VLAN initiates authentication and passes authentication successfully, the

port leaves the guest VLAN, and:

z

If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user logs

off, the port returns to its initial VLAN, that is, the VLAN the port was in before it was added to any

authorized VLAN.

z

If the authentication server assigns no VLAN, the port returns to its initial VLAN. After the client logs

off, the port still stays in its initial VLAN.

Auth-Fail VLAN

The Auth-Fail VLAN feature allows users failing authentication to access a specified VLAN, which is

called the Auth-Fail VLAN. Note that failing authentication means being denied by the authentication

server due to reasons such as wrong password. Authentication failures caused by authentication

timeout or network connection problems do not fall into this category.