82Authentication status VLAN manipulationA user in the 802.1X critical VLAN passes802.1X authentication.The device remaps the MAC address of the user to theauthorization VLAN.If the authentication server (either the local accessdevice or a RADIUS server) does not authorize aVLAN to the user, the device remaps the MAC addressof the user to the initial PVID on the port.A user in the 802.1X guest VLAN failsauthentication because all the RADIUSservers are unreachable.The device remaps the MAC address of the user to the802.1X critical VLAN. The user can access onlyresources in the 802.1X critical VLAN.A user in the 802.1X Auth-Fail VLAN failsauthentication because all the RADIUSservers are unreachable.The user remains in the 802.1X Auth-Fail VLAN.For the 802.1X critical VLAN feature to take effect on a port that performs MAC-based accesscontrol, make sure the following requirements are met:{ The port is a hybrid port.{ MAC-based VLAN is enabled on the port.The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member.For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LANSwitching Configuration Guide.When a reachable RADIUS server is detected, the device performs the following operations:{ If MAC-based access control is used, the device removes 802.1X users from the criticalVLAN. The port sends a unicast Identity EAP/Request to these users to triggerauthentication.{ If port-based access control is used, the device removes the port from the critical VLAN.The port sends a multicast Identity EAP/Request to all 802.1X users on the port to triggerauthentication.Using 802.1X authentication with other featuresACL assignmentYou can specify an ACL for an 802.1X user to control the user's access to network resources. Afterthe user passes 802.1X authentication, the authentication server assigns the ACL to the access portto filter traffic from this user. The authentication server can be the local access device or a RADIUSserver. In either case, you must configure the ACL on the access device. To change the accesscontrol criteria for the user, you can use one of the following methods:• Modify ACL rules on the access device.• Specify another authorization ACL on the authentication server.For more information about ACLs, see ACL and QoS Configuration Guide.EAD assistantEndpoint Admission Defense (EAD) is an integrated endpoint access control solution to improve thethreat defensive capability of a network. The solution enables the security client, security policyserver, access device, and third-party server to operate together. If a terminal device seeks to accessan EAD network, it must have an EAD client, which performs 802.1X authentication.
