1-12Similar to a guest VLAN, an Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or aMAC-based Auth-Fail VLAN (MAFV), depending on the port access control method.Currently, on the switch, An Auth-Fail VLAN can be only a port-based Auth-Fail VLAN (PAFV).PAFV refers to the Auth-Fail VLAN configured on a port that uses the port-based access control method.With PAFV configured on a port, if a user on the port fails authentication, the port will be added to theAuth-Fail VLAN and all users accessing the port will be authorized to access the resources in theAuth-Fail VLAN. The device adds a PAFV-configured port into the Auth-Fail VLAN according to theport’s link type in the similar way as described in VLAN assignment.If a user of a port in the Auth-Fail VLAN initiates authentication but fails the authentication, the port staysin the Auth-Fail VLAN. If the user passes the authentication successfully, the port leaves the Auth-FailVLAN, and:z If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user goesoffline, the port returns to its initial VLAN, that is, the VLAN the port was in before it was added toany authorized VLAN.z If the authentication server assigns no VLAN, the port returns to its initial VLAN. After the clientgoes offline, the port still stays in its initial VLAN.ACL assignmentACLs provide a way of controlling access to network resources and defining access rights. When a userlogs on through a port, and the RADIUS server is configured with authorization ACLs, the device willpermit or deny data flows traversing through the port according to the authorization ACLs. Beforespecifying authorization ACLs on the server, you need to configure the ACL rules on the device. Youcan change the access rights of users by modifying authorization ACL settings on the RADIUS server orchanging the corresponding ACL rules on the device.Mandatory authentication domain for a specified portThe mandatory authentication domain function provides a security control mechanism for 802.1Xaccess. With a mandatory authentication domain specified for a port, the system uses the mandatoryauthentication domain for authentication, authorization, and accounting of all 802.1X users on the port.In this way, users accessing the port cannot use any account in other domains.Meanwhile, for EAP relay mode 802.1X authentication that uses certificates, the certificate of a userdetermines the authentication domain of the user. However, you can specify different mandatoryauthentication domains for different ports even if the user certificates are from the same certificateauthority (that is, the user domain names are the same). This allows you to deploy 802.1X accesspolicies flexibly.802.1X Configuration Task ListComplete the following tasks to configure 802.1X:Task Remarks802.1X Basic Configuration RequiredEnabling the Online User Handshake Function OptionalEnabling the Multicast Trigger Function OptionalSpecifying a Mandatory Authentication Domain for a Port Optional