Enterasys Networks 6E2xx, 6G3xx, 6H2xx, 6H3xx 3.6.3.3 Concurrent Operation of 802.1X and MAC Authentication

Overview of Security Methods

3-22 Accessing Local Management

3.6.3.3 Concurrent Operation of 802.1X and MAC Authentication

This section defines the precedence rules to determine which authentication method, 802.1X

(EAP) or MAC Authentication has control over an interface. Setting the 802.1X and MAC port

authentication is described in Section 3.11.

When both methods are enabled, 802.1X takes precedence over MAC Authentication when a user

is authenticated using the 802.1X method. If the port or MAC remains unauthenticated in 802.1X,

then MAC authentication is active and may authenticate the next MAC address received on that

port.

You can configure MAC Authentication and 802.1X to run concurrently on the same module, but

exclusively on distinct interfaces of that module. To achieve this, the 802.1X port behavior in the

force-unauthorized state is overloaded. When 802.1X and MAC Authentication are enabled, set

the 802.1X MIB to force-unauthorized for the interface in question and enable

MACAuthentication. This allows the MAC Authentication to run unhindered by 802.1X on that

interface. This, in effect, disables all 802.1X control over that interface. However, if a default

policy exists on that port, the switch forwards the frames according to that policy, otherwise the

switch drops them.

If a switch port is configured to enable both 802.1X and MAC Authentication, then it is possible

for the switch to receive a start or a response 802.1X frame while a MAC Authentication is in

progress. If this situation, the switch immediately aborts MAC Authentication. The 802.1X

authentication then proceeds to completion. After the 802.1X login completes, the user has either

succeeded and gained entry to the network, or failed and is denied access to the network. After the

802.1X login attempt, no new MAC Authentication logins occur on this port until:

•A link is toggled.

•The user executes an 802.1X logout.

•Management terminates the 802.1X session.

When a port is set for concurrent use of MAC and 802.1X authentication, the switch continues to

issue EAPOL request/id frames until a MAC Authentication succeeds or the switch receives an

EAPOL response/id frame.

NOTE: The switch may terminate a session in many different ways. All of these

reactivate the MAC authentication method. Refer to Tab l e 3-5 for the precedence

relationship between MAC and 802.1X authentication.