Using 802.1X authentication with other features

VLAN assignment

You can configure the authentication server to assign a VLAN for an 802.1X user who has passed authentication. The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X access control mode.

Access control	VLAN manipulation
Port-based	Assigns the VLAN to the port as the port VLAN (PVID). The authenticated 802.1X user and all subsequent 802.1X users can access the VLAN without authentication. When the user logs off, the previous PVID restores, and all other online users are logged off.
MAC-based	If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address of each user to the VLAN assigned by the authentication server. The PVID of the port does not change. When a user logs off, the MAC-to-VLAN mapping for the user is removed. If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, assigns the first authenticated user's VLAN to the port as the PVID. If a different VLAN is assigned to a subsequent user, the user cannot pass the authentication. To avoid the authentication failure of subsequent users, be sure to assign the same VLAN to all 802.1X users on these ports.

Access control

VLAN manipulation

Port-based

Assigns the VLAN to the port as the port VLAN (PVID). The authenticated 802.1X user and all subsequent 802.1X users can access the VLAN without authentication.

When the user logs off, the previous PVID restores, and all other online users are logged off.

MAC-based

If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address of each user to the VLAN assigned by the authentication server. The PVID of the port does not change. When a user logs off, the MAC-to-VLAN mapping for the user is removed.
If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, assigns the first authenticated user's VLAN to the port as the PVID. If a different VLAN is assigned to a subsequent user, the user cannot pass the authentication. To avoid the authentication failure of subsequent users, be sure to assign the same VLAN to all 802.1X users on these ports.

With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.

On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed.

For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching Configuration Guide.

VLAN group assignment

Use VLAN group assignment to balance users across several VLANs.

VLAN group assignment allows the authentication server to assign a VLAN group to the access device for an 802.1X user. From this VLAN group, the device picks a VLAN for the 802.1X user in the following order:

Selects the VLAN that has the fewest number of online 802.1X users.

If a port performs port-based access control, all 802.1X users attached to the port are counted as one user.

If two VLANs have the same number of 802.1X users, the device selects the VLAN with the lower ID.

Guest VLAN

You can configure a guest VLAN on a port to accommodate users who have not performed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. Once a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.

On a port that performs port-based access control

Authentication status	VLAN manipulation
No 802.1X user has performed authentication within 90 seconds after 802.1X is enabled	Assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the guest VLAN. If no 802.1X guest VLAN is configured, the access device does not perform any VLAN operation.
A user in the 802.1X guest VLAN fails 802.1X authentication	If an 802.1X Auth-Fail VLAN (see "Auth-Fail VLAN") is available, assigns the Auth-Fail VLAN to the port as the PVID. All users on this port can access only resources in the Auth-Fail VLAN. If no Auth-Fail VLAN is configured, the PVID on the port is still the 802.1X guest VLAN. All users on the port are in the guest VLAN.
A user in the 802.1X guest VLAN passes 802.1X authentication	Assigns the VLAN specified for the user to the port as the PVID, and removes the port from the 802.1X guest VLAN. After the user logs off, the user configured PVID restores. If the authentication server assigns no VLAN, the user-configured PVID applies. The user and all subsequent 802.1X users are assigned to the user-configured port VLAN. After the user logs off, the port VLAN remains unchanged.

Authentication status

VLAN manipulation

No 802.1X user has performed authentication within 90 seconds after 802.1X is enabled

Assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the guest VLAN.

If no 802.1X guest VLAN is configured, the access device does not perform any VLAN operation.

A user in the 802.1X guest VLAN fails 802.1X authentication

If an 802.1X Auth-Fail VLAN (see "Auth-Fail VLAN") is available, assigns the Auth-Fail VLAN to the port as the PVID. All users on this port can access only resources in the Auth-Fail VLAN.

If no Auth-Fail VLAN is configured, the PVID on the port is still the 802.1X guest VLAN. All users on the port are in the guest VLAN.

A user in the 802.1X guest VLAN passes 802.1X authentication

Assigns the VLAN specified for the user to the port as the PVID, and removes the port from the 802.1X guest VLAN. After the user logs off, the user configured PVID restores.
If the authentication server assigns no VLAN, the user-configured PVID applies. The user and all subsequent 802.1X users are assigned to the user-configured port VLAN. After the user logs off, the port VLAN remains unchanged.

On a port that performs MAC-based access control

Authentication status	VLAN manipulation
A user has not passed 802.1X authentication yet	Creates a mapping between the MAC address of the user and the 802.1X guest VLAN. The user can access resources in the guest VLAN.
A user in the 802.1X guest VLAN fails 802.1X authentication	If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN. If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X guest VLAN.
A user in the 802.1X guest VLAN passes 802.1X authentication	Re-maps the MAC address of the user to the VLAN specified for the user. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial PVID on the port.

Authentication status

VLAN manipulation

A user has not passed 802.1X authentication yet

Creates a mapping between the MAC address of the user and the 802.1X guest VLAN. The user can access resources in the guest VLAN.

A user in the 802.1X guest VLAN fails 802.1X authentication

If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN.

If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X guest VLAN.

A user in the 802.1X guest VLAN passes 802.1X authentication

Re-maps the MAC address of the user to the VLAN specified for the user.

If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial PVID on the port.

To use the 802.1X guest VLAN function on a port that performs MAC-based access control, make sure that the port is a hybrid port, and enable MAC-based VLAN on the port.

The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.

For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching Configuration Guide.

Auth-Fail VLAN

You can configure an Auth-Fail VLAN to accommodate users who have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.

The Auth-Fail VLAN does not accommodate 802.1X users who have failed authentication for authentication timeouts or network connection problems. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.

On a port that performs port-based access control

Authentication status	VLAN manipulation
A user fails 802.1X authentication	Assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the Auth-Fail VLAN.
A user in the Auth-Fail VLAN fails 802.1X re-authentication	The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users on this port are in this VLAN.
A user passes 802.1X authentication	Assigns the VLAN specified for the user to the port as the PVID, and removes the port from the Auth-Fail VLAN. After the user logs off, the user-configured PVID restores. If the authentication server assigns no VLAN, the initial PVID applies. The user and all subsequent 802.1X users are assigned to the user-configured PVID. After the user logs off, the PVID remains unchanged.

On a port that performs MAC-based access control

Authentication status	VLAN manipulation
A user fails 802.1X authentication	Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN.
A user in the Auth-Fail VLAN fails 802.1X re-authentication	The user is still in the Auth-Fail VLAN.
A user in the Auth-Fail VLAN passes 802.1X authentication	Re-maps the MAC address of the user to the server-assigned VLAN. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial PVID on the port.

Authentication status

VLAN manipulation

A user fails 802.1X authentication

Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN.

A user in the Auth-Fail VLAN fails 802.1X re-authentication

The user is still in the Auth-Fail VLAN.

A user in the Auth-Fail VLAN passes 802.1X authentication

Re-maps the MAC address of the user to the server-assigned VLAN.

If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial PVID on the port.

To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you must ensure that the port is a hybrid port, and enable MAC-based VLAN on the port.

The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.

For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching Configuration Guide.

Critical VLAN

You configure an 802.1X critical VLAN on a port to accommodate 802.1X users who fail authentication because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users in the critical VLAN can access a limit set of network resources depending on your configuration.

The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about RADIUS configuration, see "Configuring AAA."

The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X access control mode.

On a port that performs port-based access control

To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port. For more information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching Configuration Guide.

Authentication status	VLAN manipulation
A user who has not been assigned to any VLAN fails 802.1X authentication because all the RADIUS servers are unreachable.	Assigns the critical VLAN to the port as the PVID. The 802.1X user and all subsequent 802.1X users on this port can access only resources in the critical VLAN.
A user in the 802.1X critical VLAN fails authentication because all the RADIUS servers are unreachable.	The critical VLAN is still the PVID of the port, and all 802.1X users on this port are in this VLAN.
A user in the 802.1X critical VLAN fails authentication for any other reason than server unreachable.	If an Auth-Fail VLAN has been configured, the PVID of the port changes to Auth-Fail VLAN ID, and all 802.1X users on this port are moved to the Auth-Fail VLAN.
A user in the critical VLAN passes 802.1X authentication.	Assigns the VLAN specified for the user to the port as the PVID, and removes the port from the critical VLAN. After the user logs off, the default or user-configured PVID restores. If the authentication server assigns no VLAN, the default or user-configured PVID applies. The user and all subsequent 802.1X users are assigned to this port VLAN. After the user logs off, this PVID remains unchanged.
A user in the 802.1X guest VLAN or the Auth-Fail VLAN fails authentication because all the RADIUS servers is reachable.	The PVID of the port remains unchanged. All 802.1X users on this port can access only resources in the guest VLAN or the Auth-Fail VLAN.

On a port that performs MAC-based access control

Authentication status	VLAN manipulation
A user who has not been assigned to any VLAN fails 802.1X authentication because all the RADIUS servers are unreachable.	Maps the MAC address of the user to the critical VLAN. The user can access only resources in the critical VLAN.
A user in the 802.1X critical VLAN fails authentication because all the RADIUS servers are unreachable.	The user is still in the critical VLAN.
A user in the critical VLAN fails 802.1X authentication for any other reason than server unreachable.	If an Auth-Fail VLAN has been configured, re-maps the MAC address of the user to the Auth-Fail VLAN ID.
A user in the critical VLAN passes 802.1X authentication.	Re-maps the MAC address of the user to the server-assigned VLAN. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the default or user-configured PVID on the port.
A user in the 802.1X guest VLAN or the Auth-Fail VLAN fails authentication because all the RADIUS server are unreachable.	The user remains in the 802.1X VLAN or the Auth-Fail VLAN.
A user in the MAC authentication guest VLAN fails 802.1X authentication because all the 802.1X authentication server are unreachable.	The user is removed from the MAC authentication VLAN and mapped to the 802.1X critical VLAN.

NOTE:

The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member.

Any of the following RADIUS authentication server changes in the ISP domain for 802.1X users on a port can cause the users to be removed from the critical VLAN:

An authentication server is reconfigured, added, or removed.
The status of any RADIUS authentication server automatically changes to active or is administratively set to active.
The RADIUS server probing function detects that a RADIUS authentication server is reachable and sets its state to active.

You can use the dot1x critical recovery-action reinitialize command to configure the port to trigger 802.1X re-authentication when the port or an 802.1X user on the port is removed from the critical VLAN.

If MAC-based access control is used, the port sends a unicast Identity EAP/Request to the 802.1X user to trigger authentication.
If port-based access control is used, the port sends a multicast Identity EAP/Request to the 802.1X users to trigger authentication.

ACL assignment

You can specify an ACL for an 802.1X user to control its access to network resources. After the user passes 802.1X authentication, the authentication server (either the local access device or a RADIUS server) assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the ACL on the access device. You can change ACL rules while the user is online.

prev	up	next
Access control methods	home	Configuration prerequisites