Web and MAC Authentication

How Web and MAC Authentication Operate

Figure 3-2. Progress Message During Authentication

If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. If specified, the client is redirected to a specific URL (redirect-url).

Figure 3-3. Authentication Completed

The assigned VLAN is determined, in order of priority, as follows:

1.If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.

2.If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the authorized VLAN (auth-vidif configured) and temporarily drops all other VLAN memberships.

3.If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.

4.If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked.

The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period). In addition, a session ends if the link on the port is lost, requiring reauthenti- cation of all clients. Also, if a client moves from one port to another and client

3-6