Extended triple authentication features
The following sections describe brief information about the authorization VLAN, authentication failure VLAN, server-unreachable VLAN, authorization ACL, and online user detection features for triple authentication. For more information about these features, see "Configuring 802.1X," "Configuring MAC authentication," and "Configuring Web authentication."
Authorization VLAN
After a user passes authentication, the authentication server assigns an authorization VLAN to the access port for the user. The user can then access the network resources in the authorized VLAN.
Authentication failure VLAN
The access port adds a user to an authentication failure VLAN configured on the port after the user fails authentication.
For an 802.1X authentication user—Adds the user to the Auth-Fail VLAN configured for 802.1X authentication.
For a Web authentication user—Adds the user to the Auth-Fail VLAN configured for Web authentication.
For a MAC authentication user—Adds the user to the guest VLAN configured for MAC authentication.
The access port supports configuring all types of authentication failure VLANs at the same time. If a user fails more than one type of authentication, the authentication failure VLAN of the user changes as follows:
If a user in the Web Auth-Fail VLAN fails MAC authentication, the user is moved to the MAC authentication guest VLAN.
If a user in the Web Auth-Fail VLAN or MAC authentication guest VLAN fails 802.1X authentication, the user is moved to the 802.1X Auth-Fail VLAN.
If a user in the 802.1X Auth-Fail VLAN fails MAC authentication or Web authentication, the user is still in the 802.1X Auth-Fail VLAN.
Server-unreachable VLAN
If a user fails authentication due to the unreachable server, the access port adds the user to an server-unreachable VLAN.
For an 802.1X authentication user—Adds the user to the critical VLAN configured for 802.1X authentication.
For a Web authentication user—Adds the user to the Auth-Fail VLAN configured for Web authentication.
For a MAC authentication user—Adds the user to the critical VLAN configured for MAC authentication.
The access port supports configuring all types of server-unreachable VLANs at the same time. A user is added to the server-unreachable VLAN as follows:
If the user does not undergo 802.1X authentication, the user is added to the server-unreachable VLAN configured for the last authentication.
If the user in the Web Auth-Fail VLAN or the MAC authentication critical VLAN also fails 802.1X authentication, the user is added to the 802.1X authentication critical VLAN.
Authorization ACL
After a user passes authentication, the authentication server assigns an authorization ACL to the access port for the user. The access port uses the ACL to filter traffic for the user.
To use ACL assignment, you must specify authorization ACLs on the authentication server and configure the ACLs on the access device. You can change the user's access authorization by changing the authorization ACL on the authentication server or changing rules of the authorization ACL on the access device.
Detection of online users
You can configure the following features to detect the online status of users:
Enable online user detection for Web authentication users.
Enable the online user handshake or periodic online user reauthentication feature for 802.1X users.
Enable offline detection for MAC authentication users.