Web and MAC Authentication

Overview

Each new Web/MAC Auth client always initiates a MAC authentica- tion attempt. This same client can also initiate Web authentication at any time before the MAC authentication succeeds. If either authenti- cation succeeds then the other authentication (if in progress) is ended. No further Web/MAC authentication attempts are allowed until the client is deauthenticated.

Web and MAC authentications are not allowed on the same port if unauthenticated VLAN (that is, a guest VLAN) is enabled for MAC authentication. An unauthenticated VLAN can’t be enabled for MAC authentication if Web and MAC authentication are both enabled on the port.

Hitless reauthentication must be of the same type (MAC) that was used for the initial authentication. Non-hitless reauthentication can be of any type.

The remaining Web/MAC functionality, including interactions with 802.1X, remains the same. Web and MAC authentication can be used for different clients on the same port.

Normally, MAC authentication finishes much sooner than Web authentication. However, if Web authentication should complete first, MAC authentication will cease even though it is possible that MAC authentication could succeed. There is no guarantee that MAC authentication ends before Web authentication begins for the client.

Concurrent Web and MAC authentication is backward compatible with all existing user configurations.

Authorized and Unauthorized Client VLANs

Web-Auth and MAC-Auth provide a port-based solution in which a port belongs to one, untagged VLAN at a time. The switch supports up to 32 simultaneous client sessions per port. All authenticated client sessions operate in the same untagged VLAN. (If you want the switch to simultaneously support multiple client sessions in different VLANs for a network application, design your system so that clients request network access on different switch ports.)

In the default configuration, the switch blocks access to all clients that the RADIUS server does not authenticate. However, you can configure an individual port to provide limited network services and access to unauthorized

3-5