Auth-Fail VLAN

The 802.1X Auth-Fail VLAN on a port accommodates users that have failed 802.1X authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates users that have entered a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download antivirus software and system patches.

The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method.

For port-based access control

Authentication status	VLAN manipulation
A user accesses the port and fails 802.1X authentication.	The device assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the Auth-Fail VLAN.
A user in the 802.1X Auth-Fail VLAN fails 802.1X authentication.	The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users on this port are in this VLAN.
A user in the 802.1X Auth-Fail VLAN passes 802.1X authentication.	The device assigns the authorization VLAN of the user to the port as the PVID, and it removes the port from the Auth-Fail VLAN. If the authentication server does not authorize a VLAN, the initial PVID of the port applies. The user and all subsequent 802.1X users are assigned to the initial PVID. After the user logs off, the guest VLAN is assigned to the port as the PVID. If no guest VLAN is configured, the initial PVID of the port is restored.

Authentication status

VLAN manipulation

A user accesses the port and fails 802.1X authentication.

The device assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the Auth-Fail VLAN.

A user in the 802.1X Auth-Fail VLAN fails 802.1X authentication.

The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users on this port are in this VLAN.

A user in the 802.1X Auth-Fail VLAN passes 802.1X authentication.

The device assigns the authorization VLAN of the user to the port as the PVID, and it removes the port from the Auth-Fail VLAN.

If the authentication server does not authorize a VLAN, the initial PVID of the port applies. The user and all subsequent 802.1X users are assigned to the initial PVID.

After the user logs off, the guest VLAN is assigned to the port as the PVID. If no guest VLAN is configured, the initial PVID of the port is restored.

For MAC-based access control

Authentication status	VLAN manipulation
A user accesses the port and fails 802.1X authentication.	The device maps the MAC address of the user to the 802.1X Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN.
A user in the 802.1X Auth-Fail VLAN fails 802.1X authentication.	The user is still in the Auth-Fail VLAN.
A user in the 802.1X Auth-Fail VLAN passes 802.1X authentication.	The device remaps the MAC address of the user to the authorization VLAN. If the authentication server does not authorize a VLAN, the device remaps the MAC address of the user to the initial PVID on the port.

Authentication status

VLAN manipulation

A user accesses the port and fails 802.1X authentication.

The device maps the MAC address of the user to the 802.1X Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN.

A user in the 802.1X Auth-Fail VLAN fails 802.1X authentication.

The user is still in the Auth-Fail VLAN.

A user in the 802.1X Auth-Fail VLAN passes 802.1X authentication.

The device remaps the MAC address of the user to the authorization VLAN.

If the authentication server does not authorize a VLAN, the device remaps the MAC address of the user to the initial PVID on the port.

prev	up	next
Guest VLAN	home	Critical VLAN