Auth-Fail VLAN
The 802.1X Auth-Fail VLAN on a port accommodates users who have failed 802.1X authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates users who have entered a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download antivirus software and system patches.
The 802.1X Auth-Fail VLAN takes effect only on a port that performs port-based access control.
The following table describes how the access device handles VLANs on an 802.1X-enabled port that performs port-based access control:
Authentication status | VLAN manipulation |
---|---|
A user fails 802.1X authentication. | The device assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the Auth-Fail VLAN. |
A user in the 802.1X Auth-Fail VLAN fails 802.1X authentication because of any other reason except for unreachable servers. | The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users on this port are in this VLAN. |
A user passes 802.1X authentication. |
|
The access device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.
For more information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.