(Optional) Configuring the Restrict VLAN Function
Context
You can configure the restrict VLAN function on the device interface to enable users who fail authentication to access some network resources (for example, to update the virus library). The users are added to the restrict VLAN when failing authentication and can access resources in the restrict VLAN. The user fails authentication in this instance because the authentication server rejects the user for some reasons (for example, the user enters an incorrect password) not because the authentication times out or the network is disconnected.
Similar to the guest VLAN, the restrict VLAN allows users to access limited network resources before passing 802.1X authentication. Generally, fewer network resources are deployed in the restrict VLAN than in the guest VLAN; therefore, the restrict VLAN limits access to network resources from unauthenticated users more strictly.
Procedure
- Run system-view
The system view is displayed.
- Configure the restrict VLAN function in the system or interface view.
- In the system view:
- In the interface view:
By default, an interface is not added to the restrict VLAN.
- A super VLAN cannot be configured as a restrict VLAN.
- When free IP subnets are configured, the restrict VLAN function becomes invalid immediately.
- If the authentication function of the built-in Portal server is enabled, the restrict VLAN cannot be configured on interfaces.
- The restrict VLAN function takes effect only when a user sends untagged packets to the device.
- To make the VLAN authorization function take effect,
the link type and access control mode of the authentication interface
must meet the following requirements:
- When the link type is hybrid in untagged mode, the access control mode can be based on the MAC address or interface.
- When the link type is access or trunk, the access control mode can only be based on the interface.