HP 1920-16G, 1920-24G, 1920-24G-PoE+ (180W), 1920-48G, 1920-8G, 1920-8G-PoE+ (180W), 1920-8G-PoE+ (65W) 344

	Authentication status	VLAN manipulation
	A user fails 802.1X	The device assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X
	authentication.	users on this port can access only resources in the Auth-Fail VLAN.

	A user in the Auth-Fail VLAN	The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users on
	fails 802.1X
	fails 802.1X	this port are in this VLAN.
	re-authentication.	this port are in this VLAN.
	re-authentication.

		• The device assigns the VLAN specified for the user to the port as the
		PVID, and removes the port from the Auth-Fail VLAN. After the user
	A user passes 802.1X	logs off, the user-configured PVID restores.
	A user passes 802.1X	• If the authentication server assigns no VLAN, the initial PVID applies.
	authentication.
	authentication.	The user and all subsequent 802.1X users are assigned to the

		user-configured PVID. After the user logs off, the PVID remains
		unchanged.

•On a port that performs MAC-based access control:

Authentication status	VLAN manipulation
A user fails 802.1X	The device remaps the MAC address of the user to the Auth-Fail VLAN.
authentication.	The user can access only resources in the Auth-Fail VLAN.

A user in the Auth-Fail VLAN
fails 802.1X	The user is still in the Auth-Fail VLAN.
re-authentication.

A user in the Auth-Fail VLAN passes 802.1X authentication.

The device remaps the MAC address of the user to the server-assigned VLAN.

If the authentication server assigns no VLAN, remaps the MAC address of the user to the initial PVID on the port.

To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you must ensure that the port is a hybrid port, and enable MAC-based VLAN on the port.

The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.

ACL assignment

You can specify an ACL for an 802.1X user to control its access to network resources. After the user passes 802.1X authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the ACL on the access device. You can change ACL rules while the user is online.

Configuration prerequisites

When you configure 802.1X, follow these restrictions and guidelines:

•Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For more information, see "Configuring AAA" and "Configuring RADIUS."

•If RADIUS authentication is used, create user accounts on the RADIUS server.

•If local authentication is used, create local user accounts on the access device and specify the LAN access service for the user accounts. For more information, see "Configuring users."

331

HP manual 344

Models: 1920-16G 1920-24G 1920-24G-PoE+ (180W) 1920-48G 1920-8G 1920-8G-PoE+ (180W) 1920-8G-PoE+ (65W)