Configuration guidelines
Follow these guidelines when you configure an 802.1X guest VLAN:
You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different.
Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port, so the port can correctly process incoming VLAN tagged traffic.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.
If 802.1X clients in your network cannot trigger an immediate DHCP-assigned IP address renewal in response to a VLAN change, the 802.1X users cannot access authorized network resources immediately after an 802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HPE iNode client does not have this problem.
Use Table 8 when configuring multiple security features on a port.
Table 8: Relationships of the 802.1X guest VLAN and other security features
Feature | Relationship description | Reference |
---|---|---|
MAC authentication guest VLAN on a port that performs MAC-based access control | Only the 802.1X guest VLAN take effect. A user that fails MAC authentication will not be assigned to the MAC authentication guest VLAN. | |
802.1X Auth-Fail VLAN on a port that performs MAC-based access control | The 802.1X Auth-Fail VLAN has a higher priority | |
Port intrusion protection on a port that performs MAC-based access control | The 802.1X guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature. |