Configuration guidelines
Follow these guidelines when configuring an 802.1X Auth-Fail VLAN:
Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X Auth-Fail VLAN on a port, so the port can correctly process VLAN tagged incoming traffic.
You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on different ports can be different.
If 802.1X clients in your network cannot trigger an immediate DHCP-assigned IP address renewal in response to a VLAN change, the 802.1X users cannot access authorized network resources immediately after an 802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HPE iNode client does not have this problem.
Use Table 7 when configuring multiple security features on a port.
Table 7: Relationships of the 802.1X Auth-Fail VLAN with other features
Feature | Relationship description | Reference |
|---|---|---|
Super VLAN | You cannot specify a VLAN as both a super VLAN and an 802.1X Auth-Fail VLAN. | See Layer 2—LAN Switching Configuration Guide. |
MAC authentication guest VLAN on a port that performs MAC-based access control | The 802.1X Auth-Fail VLAN has a high priority. | |
Port intrusion protection on a port that performs MAC-based access control | The 802.1X Auth-Fail VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature. | See "Configuring port security." |