Aruba & ProVision-based
Showing results for 
Search instead for 
Did you mean: 

Allow tagged vlans for unauthorized devices on port

Occasional Visitor

Allow tagged vlans for unauthorized devices on port

Hi there,

I'm curious if it is possible to allow tagged vlan traffic on a port, on which 802.1x is configured and on which the client is not 802.1x capable...

Example config for the port:

interface 1/1
tagged vlan 40
aaa port-access authenticator
aaa port-access authenticator auth-vid 50
aaa port-access authenticator unauth-vid 100
spanning-tree bpdu-protection

The client, which is not 802.1x capable should be able to go into vlan 40 with its tagged traffic....
Is this possible ? If tried it but it is not working... I'm always getting into vlan 100 and I'm not able to do anything in vlan 40. Is this simply not possible or is there something that I'm missing ?

Honored Contributor

Re: Allow tagged vlans for unauthorized devices on port

Do you mean to allow Tagged VLAN for unsupported (not unauthorized) devices that present on that IEEE 802.1X enabled port?

From what you wrote it seems that unauthorized devices will be yet manged into VLAN 100 and you want that unsupported devices (not 802.1X capable clients) will be instead managed into VLAN 40.

Is that right? if so, the thread title is a little bit confusing.

Apparently it looks similar to Cisco 802.1X with Guest VLANs...

Honored Contributor

Re: Allow tagged vlans for unauthorized devices on port

Don't know in ProVision based Switches...but in Comware 7 based Switches (and also in Comware 5) there should be a command (the dot1x guest-vlan) that could be what you're looking for:

dot1x guest-vlan
Use dot1x guest-vlan to configure an 802.1X guest VLAN for the specified or all ports. A guest VLAN on
a port accommodates users who have not performed 802.1X authentication. In the guest VLAN, users
can access a limited set of network resources, such as a software server, to download anti-virus software
and system patches.
Use undo dot1x guest-vlan to remove the 802.1X guest VLAN on the specified or all ports.


In system view:
dot1x guest-vlan guest-vlan-id [ interface interface-list ]
undo dot1x guest-vlan [ interface interface-list ]
In Layer 2 Ethernet interface view:
dot1x guest-vlan guest-vlan-id
undo dot1x guest-vlan


No 802.1X guest VLAN is configured on a port.


System view, Layer 2 Ethernet interface view

Default command level
2: System level


guest-vlan-id: Specifies the ID of the VLAN to be specified as the 802.1X guest VLAN,
in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN.
For more information about super VLANs, see "Layer 2—LAN Switching Configuration Guide".
interface interface-list: Specifies a port list.
The interface-list argument is in the format of
interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>,
where interface-type represents the port type, interface-number represents the port number,
and & <1-10> means that you can provide up to 10 ports or port ranges.
The start port number must be smaller than the end number and the two ports must be
of the same type.
If no interface is specified, you configure an 802.1X guest VLAN for all Layer 2 Ethernet ports.
Usage guidelines You must enable 802.1X for an 802.1X guest VLAN to take effect. To have the 802.1X guest VLAN take effect, complete the following tasks:

* Enable 802.1X both globally and on the interface.
* If the port performs port-based access control, enable the 802.1X multicast trigger function.
* If the port performs MAC-based access control, configure the MAC-based VLAN function on the port. When you change the access control method from MAC-based to port-based on a port that carries a guest VLAN, the mappings between MAC addresses and the 802.1X guest VLAN are removed. You can use the display mac-vlan command to display MAC-to-VLAN mappings. When you change the access control method from port-based to MAC-based on a port that is in a guest VLAN, the port is removed from the guest VLAN. To delete a VLAN that has been configured as a guest VLAN, you must first remove the guest VLAN configuration. You can configure both an Auth-Fail VLAN and an 802.1X guest VLAN on a port. Examples # Specify VLAN 999 as the 802.1X guest VLAN for port GigabitEthernet 1/0/1 <Sysname> system-view [Sysname] dot1x guest-vlan 999 interface gigabitethernet 1/0/1
# Specify VLAN 10 as the 802.1X guest VLAN for ports GigabitEthernet 1/0/2 to GigabitEthernet 1/0/5. <Sysname> system-view [Sysname] dot1x guest-vlan 10 interface gigabitethernet 1/0/2 to gigabitethernet 1/0/5
# Specify VLAN 7 as the 802.1X guest VLAN for all ports. <Sysname> system-view [Sysname] dot1x guest-vlan 7
# Specify VLAN 3 as the 802.1X guest VLAN for port GigabitEthernet 1/0/7. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/7 [Sysname-GigabitEthernet1/0/7] dot1x guest-vlan 3

and that is similar to the Cisco authentication event no-response action authorize vlan vlan-id (look for section "Configuring 802.1X with Guest VLANs" on the "Configuring 802.1X Port-Based Authentication" Chapter of a recent Cisco IOS Software Configuration Guide).

In Cisco, using the IEEE 802.1X for Guest VLANs, seems more near to what you are looking for since it's used "to enable non-802.1X-capable hosts to access networks that use 802.1X authentication."

Honored Contributor

Re: Allow tagged vlans for unauthorized devices on port

Mumble...ProVision based Switches, considering the Port Based 802.1X authentication, should provide the command aaa port-access authenticator <port-list> [control <authorized|auto|unauthorized>]: the authorized (authentication mode) control option, also termed "Force Authorized", gives access to a device connected to the port and that device does not have to provide 802.1X credentials or support 802.1X authentication (You can still configure console, Telnet, or SSH security on the port.).