Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Operating Rules and Notes
Operating Rules and Notes
■ You can configure one type of authentication on a port. That is, the
following authentication types are mutually exclusive on a given
port:
• Web Authentication
• MAC Authentication
• 802.1X
■ Order of Precedence for Port Access Management (highest to lowest):
• MAC lockout
• MAC lockdown or Port Security
• Port-based Access Control (802.1X) or Web Authentication or MAC
Authentication
Note on Port When configuring a port for Web or MAC Authentication, be sure that a higher
Access
precedent port access management feature is not enabled on the port. For
Management
example, be sure that Port Security is disabled on a port before configuring it
for Web or MAC Authentication. If Port Security is enabled on the port this
misconfiguration does not allow Web or MAC Authentication to occur.
■ VLANs: If your LAN does not use multiple VLANs, then you do not
need to configure VLAN assignments in your RADIUS server or
consider using either Authorized or Unauthorized VLANs. If your LAN
does use multiple VLANs, then some of the following factors may
apply to your use of Web-Auth and MAC-Auth.
• Web-Auth and MAC-Auth operate only with port-based VLANs. Oper-
ation with protocol VLANs is not supported, and clients do not have
access to protocol VLANs during Web-Auth and MAC-Auth sessions.
• A port can belong to one, untagged VLAN during any client session.
Where multiple authenticated clients may simultaneously use the
same port, they must all be capable of operating on the same VLAN.
• During an authenticated client session, the following hierarchy deter-
mines a port’s VLAN membership:
1. If there is a RADIUS-assigned VLAN, then, for the duration of the
client session, the port belongs to this VLAN and temporarily
drops all other VLAN memberships.
3-10