1-9z The users of the port can initiate 802.1x authentication. If a user passes authentication, the portleaves the guest VLAN and is added to the original VLAN, that is, the one the port belongs to beforeit is added to the guest VLAN). The port then does not handle other users' authentication requests.z MAC address authentication is also allowed. However, MAC authentication in this case cannot betriggered by user requests; the switch will use the first MAC address learned in the guest VLAN toinitiate MAC address authentication at a certain interval. If the authentication succeeds, the portleaves the guest VLAN.Follow these steps to configure a guest VLAN for a port in macAddressOrUserLoginSecure mode:To do… Use the command… RemarksEnter system view system-view —Set the interval at which the switchtriggers MAC address authenticationafter a port is added to the guestVLANport-security timer guest-vlan-reauthinterval OptionalEnter Ethernet port view interface interface-type interface-number —Set the security mode tomacAddressOrUserLoginSecureport-security port-modeuserlogin-secure-or-mac RequiredSpecify a VLAN as the guest VLANof the port port-security guest-vlan vlan-id RequiredNote that:z Only an existing VLAN can be specified as a guest VLAN. Make sure the guest VLAN of a portcontain the resources that the users need.z If one user of the port has passed or is undergoing authentication, you cannot specify a guestVLAN for it.z When a user using a port with a guest VLAN specified fail the authentication, the port is added tothe guest VLAN and users of the port can access only the resources in the guest VLAN.z Multiple users may connect to one port in the macAddressOrUserLoginSecure mode forauthentication; however, after a guest VLAN is specified for the port, only one user can pass thesecurity authentication. In this case, the authentication client software of the other 802.1x usersdisplays messages about the failure; MAC address authentication does not have any clientsoftware and therefore no such messages will be displayed.z To change the security mode from macAddressOrUserLoginSecure mode of a port that isassigned to a guest VLAN, execute the undo port-security guest-vlan command first to removethe guest VLAN configuration.z For a port configured with both the port-security guest-vlan and port-security intrusion-modedisableport commands, when authentication of a user fails, only the intrusion detection feature istriggered. The port is not added to the specified guest VLAN.z It is not recommended to configure the port-security guest-vlan and port-securityintrusion-mode blockmac commands simultaneously for a port. Because when theauthentication of a user fails, the blocking MAC address feature will be triggered and packets of theuser will be dropped, making the user unable to access the guest VLAN.
