75Auth-Fail VLANThe Auth-Fail VLAN feature allows users failing authentication to access a specified VLAN, whichis called the Auth-Fail VLAN. Note that failing authentication means being denied by theauthentication server due to reasons such as wrong password. Authentication failures caused byauthentication timeout or network connection problems do not fall into this category.Currently, the switch supports port-based Auth-Fail VLAN (PAFV) only.PAFV refers to the Auth-Fail VLAN configured on a port that uses the port-based access controlmethod. With PAFV configured on a port, if a user on the port fails authentication, the port will beadded to the Auth-Fail VLAN and all users accessing the port will be authorized to access theresources in the Auth-Fail VLAN. The switch adds a PAFV-configured port into the Auth-Fail VLANaccording to the port’s link type in the similar way as described in VLAN assignment.If a user of a port in the Auth-Fail VLAN initiates authentication but fails the authentication, the portstays in the Auth-Fail VLAN. If the user passes the authentication successfully, the port leaves theAuth-Fail VLAN, and:• If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the userlogs off, the port returns to its initial VLAN, that is, the VLAN the port was in before it wasadded to any authorized VLAN.• If the authentication server assigns no VLAN, the port returns to its initial VLAN. After theclient logs off, the port still stays in its initial VLAN.If the user initiates authentication again and passes the authentication, the switch will add the userto the assigned VLAN or return the user to the initial VLAN of the port, depending on whether theauthentication server assigns a VLAN.Mandatory authentication domain for a specified portThe mandatory authentication domain function provides a security control mechanism for 802.1Xaccess. With a mandatory authentication domain specified for a port, the system uses themandatory authentication domain for authentication, authorization, and accounting of all 802.1Xusers on the port. In this way, users accessing the port cannot use any account in other domains.Meanwhile, for EAP relay mode 802.1X authentication that uses certificates, the certificate of auser determines the authentication domain of the user. However, you can specify differentmandatory authentication domains for different ports even if the user certificates are from the samecertificate authority (that is, the user domain names are the same). This allows you to deploy802.1X access policies flexibly.802.1X basic configurationConfiguration prerequisites802.1X provides a method for implementing user identity authentication. However, 802.1X cannotimplement the authentication scheme solely by itself. RADIUS or local authentication must beconfigured to work with 802.1X.• Configure the ISP domain to which the 802.1X user belongs and the AAA scheme to be used(that is, local authentication or RADIUS).
