Guest VSI

The 802.1X guest VSI on a port accommodates users that have not performed 802.1X authentication. You can deploy a limited set of network resources in the VXLAN that is associated with the guest VSI. For example, deploy a software server for users to download anti-virus software and system patches. Once a user in the guest VSI passes 802.1X authentication, the user is removed from the guest VSI and can access authorized network resources.

The VTEP handles VSIs on an 802.1X-enabled port based on its 802.1X access control method.

For port-based access control

The following table shows how the VTEP handles VSIs on an 802.1X-enabled port that performs port-based access control:

Authentication status	VSI manipulation
A user accesses the port and has not performed 802.1X authentication.	The VTEP assigns the port to the 802.1X guest VSI. All 802.1X users from the same VLAN on this port can access only resources in the VXLAN associated with the guest VSI.
A user in the 802.1X guest VSI fails 802.1X authentication.	If an 802.1X Auth-Fail VSI is available (see "Auth-Fail VSI"), the VTEP assigns the port to the Auth-Fail VSI. All users from the same VLAN on this port can access only resources in the VXLAN associated with the Auth-Fail VSI. If no Auth-Fail VSI is configured, the port is still in the 802.1X guest VSI.
A user in the 802.1X guest VSI passes 802.1X authentication.	The VTEP removes the port from the 802.1X guest VSI and assigns the port to the authorization VSI of the user.

Authentication status

VSI manipulation

A user accesses the port and has not performed 802.1X authentication.

The VTEP assigns the port to the 802.1X guest VSI. All 802.1X users from the same VLAN on this port can access only resources in the VXLAN associated with the guest VSI.

A user in the 802.1X guest VSI fails 802.1X authentication.

If an 802.1X Auth-Fail VSI is available (see "Auth-Fail VSI"), the VTEP assigns the port to the Auth-Fail VSI. All users from the same VLAN on this port can access only resources in the VXLAN associated with the Auth-Fail VSI.

If no Auth-Fail VSI is configured, the port is still in the 802.1X guest VSI.

A user in the 802.1X guest VSI passes 802.1X authentication.

The VTEP removes the port from the 802.1X guest VSI and assigns the port to the authorization VSI of the user.

For MAC-based access control

The following table shows how the VTEP handles VSIs on an 802.1X-enabled port that performs MAC-based access control:

Authentication status	VSI manipulation
A user accesses the port and has not performed 802.1X authentication.	The VTEP maps the user's MAC address and access VLAN to the 802.1X guest VSI on the port. The user can access only resources in the VXLAN associated with the guest VSI.
A user in the 802.1X guest VSI fails 802.1X authentication.	If an 802.1X Auth-Fail VSI is available on the port, the VTEP remaps the user's MAC address and access VLAN to the Auth-Fail VSI. The user can access only resources in the VXLAN associated with the Auth-Fail VSI. If no 802.1X Auth-Fail VSI is configured on the port, the user is still in the 802.1X guest VSI.
A user in the 802.1X guest VSI passes 802.1X authentication.	The VTEP removes the user from the 802.1X guest VSI and remaps the user's MAC address and access VLAN to the authorization VSI.

Authentication status

VSI manipulation

A user accesses the port and has not performed 802.1X authentication.

The VTEP maps the user's MAC address and access VLAN to the 802.1X guest VSI on the port. The user can access only resources in the VXLAN associated with the guest VSI.

A user in the 802.1X guest VSI fails 802.1X authentication.

If an 802.1X Auth-Fail VSI is available on the port, the VTEP remaps the user's MAC address and access VLAN to the Auth-Fail VSI. The user can access only resources in the VXLAN associated with the Auth-Fail VSI.

If no 802.1X Auth-Fail VSI is configured on the port, the user is still in the 802.1X guest VSI.

A user in the 802.1X guest VSI passes 802.1X authentication.

The VTEP removes the user from the 802.1X guest VSI and remaps the user's MAC address and access VLAN to the authorization VSI.

prev	up	next
Authorization VSI	home	Auth-Fail VSI