Configuring a guest vlan or auth-fail vlan – H3C Technologies H3C S3100 Series Switches User Manual
Page 459
1-4
MAC Address Authentication Enhanced Function Configuration
MAC Address Authentication Enhanced Function Configuration Tasks
Table 1-2 MAC address authentication enhanced function configuration tasks
Operation
Description
Related section
Configure a guest VLAN or
Auth-Fail VLAN
Optional
”
Configure the maximum
number of MAC address
authentication users allowed to
access a port
Optional
Number of MAC Address Authentication
Users Allowed to Access a Port
Configuring quiet MAC function
on a port
Optional
Configuring a Guest VLAN or Auth-Fail VLAN
z
Different from guest VLANs or Auth-Fail VLANs described in the 802.1x and System-Guard
manual. Guest VLANs or Auth-Fail VLANs mentioned in this section refer to guests VLANs or
Auth-Fail VLANs dedicated to MAC address authentication.
z
The guest VLAN and Auth-Fail VLAN for MAC authentication are VLANs for users failing MAC
authentication to access for certain resources.
z
At present, among the S3100 series Ethernet switches, only the S3100-EI series supports the
Auth-Fail VLAN function for MAC authentication.
After completing configuration tasks in
Configuring Basic MAC Authentication Functions
for a switch,
this switch can authenticate access users according to their MAC addresses or according to fixed user
names and passwords. The switch will not learn MAC addresses of the clients failing in the
authentication into its local MAC address table, thus prevent illegal users from accessing the network.
In some cases, if the clients failing in the authentication are required to access some resources in the
network (such as the virus library update server), you can use the guest VLAN or Auth-Fail VLAN.
A guest VLAN/Auth-Fail VLAN for MAC authentication can be a port-based guest VLAN/Auth-Fail VLAN
(PGV/PAFV) or MAC-based guest VLAN/Auth-Fail VLAN (MGV/MAFV), depending on the VLAN
assignment mode.
z
PGV/PAFV: If a user fails MAC authentication on a port configured with a PGV/PAFV, the device
will add the port to the guest VLAN or Auth-Fail VLAN, and then all users on the port can access the
resources in the guest VLAN or Auth-Fail VLAN.
z
MGV/MAFV: For the MGV/MAFV configured on a port to take effect, the MAC VLAN function must
also be enabled. If a user fails MAC authentication on the port, the device will bind the MAC
address of the user with the guest VLAN/Auth-Fail VLAN, and thus the user can access resources
in only the guest VLAN or Auth-Fail VLAN.