Configuring an 802.1X Auth-Fail VLAN

• Assign different IDs to the port VLAN, the voice VLAN, and the 802.1X Auth-Fail VLAN on a port. The assignment makes sure the port can correctly process VLAN-tagged incoming traffic.

• You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on different ports can be different.

• When you configure multiple security features on a port, follow the guidelines in Table 10.

  Table 10: Relationships of the 802.1X Auth-Fail VLAN with other features

  Feature	Relationship description	Reference
  Super VLAN	You cannot specify a VLAN as both a super VLAN and an 802.1X Auth-Fail VLAN.	See Layer 2—LAN Switching Configuration Guide.
  MAC authentication guest VLAN on a port that performs MAC-based access control	The 802.1X Auth-Fail VLAN has a high priority.	See "Configuring MAC authentication."
  Port intrusion protection actions on a port that performs MAC-based access control	The 802.1X Auth-Fail VLAN feature has higher priority than the block MAC action. The 802.1X Auth-Fail VLAN feature has lower priority than the shutdown port action of the port intrusion protection feature.	See "Configuring port security."

Before you configure an 802.1X Auth-Fail VLAN, complete the following tasks:

• Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.

• If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port:

  • Configure the port as a hybrid port.

  • Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide.

  • Assign the port to the Auth-Fail VLAN as an untagged member.

1. Enter system view.

   system-view

2. Enter interface view.

   interface interface-type interface-number

3. Configure the 802.1X Auth-Fail VLAN on the port.

   dot1x auth-fail vlan authfail-vlan-id

   By default, no 802.1X Auth-Fail VLAN exists on a port.