Auth-Fail VSI
The 802.1X Auth-Fail VSI on a port accommodates users that have failed 802.1X authentication because of the failure to comply with the organization security strategy. For example, the VSI accommodates users with wrong passwords entered. Users in the Auth-Fail VSI can access a limited set of network resources in the VXLAN associated with this VSI. You can deploy a software server in the Auth-Fail VSI for users to download antivirus software and system patches.
The VTEP handles VSIs on an 802.1X-enabled port based on its 802.1X access control method.
For port-based access control
The following table shows how the VTEP handles VSIs on an 802.1X-enabled port that performs port-based access control:
Authentication status | VSI manipulation |
---|---|
A user accesses the port and fails 802.1X authentication. | The VTEP assigns the port to the Auth-Fail VSI. All 802.1X users from the same VLAN on this port can access only resources in the VXLAN associated with the Auth-Fail VSI. |
A user in the 802.1X Auth-Fail VSI fails 802.1X authentication because of any reason other than unreachable servers. | The port is still in the Auth-Fail VSI. |
A user passes 802.1X authentication. | The VTEP removes the port from the Auth-Fail VSI and assigns the port to the authorization VSI of the user. After the user logs off, the port is removed from the authorization VSI. If the 802.1X guest VSI is configured on the port, the VTEP assigns the port to the guest VSI. |
For MAC-based access control
The following table shows how the VTEP handles VSIs on an 802.1X-enabled port that performs MAC-based access control:
Authentication status | VSI manipulation |
---|---|
A user accesses the port and fails 802.1X authentication. | The VTEP maps the user's MAC address and access VLAN to the 802.1X Auth-Fail VSI on the port. The user can access only resources in the VXLAN associated with the Auth-Fail VSI. |
A user in the 802.1X Auth-Fail VSI fails 802.1X authentication because of any reason other than unreachable servers. | The user is still in the Auth-Fail VSI. |
A user in the 802.1X Auth-Fail VSI passes 802.1X authentication. | The VTEP removes the user from the 802.1X Auth-Fail VSI and remaps the user's MAC address and access VLAN to the authorization VSI. |