beautypg.com

Support for guest vlan and auth-fail vlan, Port security configuration task list – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 239

background image

225

In presharedKey mode, the maximum number of PSK users on the port is the port specification limit

on the number of wireless users or port security's limit on the number of MAC addresses, whichever
is smaller. The actual maximum number of PSK users on the port also depends on the total number

of PSK users that the system can support. For more information, see About the WX Series Access

Controllers Command References.

In macAddressAndPresharedKey mode, the maximum number of PSK users on the port is the MAC
authentication feature's limit on the number of concurrent users or port security's limit on the number
of MAC addresses, whichever is smaller. The actual maximum number of PSK users on the port also

depends on the total number of PSK users that the system can support.

In userLoginSecureExtOrPresharedKey mode, the number of PSK users on the port cannot exceed
the port limit on the number of wireless users, the number of 802.1X users cannot exceed the 802.1X

feature's limit on the number of concurrent users, and the total number of PSK and 802.1X users

cannot exceed port security's limit on the number of MAC addresses on the port. The maximum
number of PSK or 802.1X users also depends on the system specification.

CAUTION:

Do not configure static MAC address entries for wireless users that use the 802.1X or MAC authentication
service. If the source MAC address and the VLAN of a wireless user match a static MAC address entry in

the MAC address table, the user cannot pass 802.1X authentication or MAC authentication.

Support for guest VLAN and Auth-Fail VLAN

An 802.1X guest VLAN is the VLAN that a user is in before initiating authentication. An 802.1X Auth-Fail

VLAN or a MAC authentication guest VLAN is the VLAN that a user is in after failing authentication.

You can use the 802.1X guest VLAN and 802.1X Auth-Fail VLAN features together with port security
modes that support 802.1X authentication. For more information about the 802.1X guest VLAN and

Auth-Fail VLAN on a port that performs MAC-based access control, see "Configuring 802.1X."

You can use the MAC authentication VLAN feature together with security modes that support MAC
authentication. For more information about the MAC authentication guest VLAN, see "Configuring

MAC authentication."

If you configure both an 802.1X Auth-Fail VLAN and a MAC authentication guest VLAN on a port
that performs MAC-based access control, the 802.1X Auth-Fail VLAN has a higher priority.

Port security configuration task list

Task Remarks

Enabling port security

Required.

Setting port security's limit on the number of MAC addresses on a port

Optional.

Setting the port security mode

Required.

Configuring port security
features

Configuring NTK

Optional.
Configure one or more features
as required.

Configuring intrusion protection

Enabling port security traps

Configuring port security
for WLAN ports

Setting the port security mode of a WLAN port

Required for WLAN ports.

Enabling key negotiation