Acl assignment, 1x configuration task list – H3C Technologies H3C S5120 Series Switches User Manual

1-12

Similar to a guest VLAN, an Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or a

MAC-based Auth-Fail VLAN (MAFV), depending on the port access control method.

Currently, on the switch, An Auth-Fail VLAN can be only a port-based Auth-Fail VLAN (PAFV).

PAFV refers to the Auth-Fail VLAN configured on a port that uses the port-based access control method.

With PAFV configured on a port, if a user on the port fails authentication, the port will be added to the

Auth-Fail VLAN and all users accessing the port will be authorized to access the resources in the

Auth-Fail VLAN. The device adds a PAFV-configured port into the Auth-Fail VLAN according to the

port’s link type in the similar way as described in

VLAN assignment

.

If a user of a port in the Auth-Fail VLAN initiates authentication but fails the authentication, the port stays

in the Auth-Fail VLAN. If the user passes the authentication successfully, the port leaves the Auth-Fail

VLAN, and:

z

If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user goes

offline, the port returns to its initial VLAN, that is, the VLAN the port was in before it was added to

any authorized VLAN.

z

If the authentication server assigns no VLAN, the port returns to its initial VLAN. After the client

goes offline, the port still stays in its initial VLAN.

ACL assignment

ACLs provide a way of controlling access to network resources and defining access rights. When a user

logs on through a port, and the RADIUS server is configured with authorization ACLs, the device will

permit or deny data flows traversing through the port according to the authorization ACLs. Before

specifying authorization ACLs on the server, you need to configure the ACL rules on the device. You

can change the access rights of users by modifying authorization ACL settings on the RADIUS server or

changing the corresponding ACL rules on the device.

Mandatory authentication domain for a specified port

The mandatory authentication domain function provides a security control mechanism for 802.1X

access. With a mandatory authentication domain specified for a port, the system uses the mandatory

authentication domain for authentication, authorization, and accounting of all 802.1X users on the port.

In this way, users accessing the port cannot use any account in other domains.

Meanwhile, for EAP relay mode 802.1X authentication that uses certificates, the certificate of a user

determines the authentication domain of the user. However, you can specify different mandatory

authentication domains for different ports even if the user certificates are from the same certificate

authority (that is, the user domain names are the same). This allows you to deploy 802.1X access

policies flexibly.

802.1X Configuration Task List

Complete the following tasks to configure 802.1X:

Task

Remarks

802.1X Basic Configuration

Required

Enabling the Online User Handshake Function

Optional

Enabling the Multicast Trigger Function

Optional

Specifying a Mandatory Authentication Domain for a Port

Optional