Multiple Authentication Methods - Cisco 500 Series Administration Manual

Security: 802.1X Authentication
Authenticator Overview
Cisco 500 Series Stackable Managed Switch Administration Guide
multi-sessions mode, they support a limited form of multi-sessions mode,
which does not support guest VLAN and RADIUS VLAN attributes. The
maximum number of authorized hosts allowed on the port is configured in
the Port Authentication page.
Tagged traffic belonging to an unauthenticated VLAN is always bridged
regardless of whether the host is authorized or not.
Tagged and untagged traffic from unauthorized hosts not belonging to an
unauthenticated VLAN is remapped to the guest VLAN if it is defined and
enabled on the VLAN, or is dropped if the guest VLAN is not enabled on the
port.
If an authorized host is assigned a VLAN by a RADIUS server, all its tagged
and untagged traffic not belonging to the unauthenticated VLANs is bridged
via the VLAN; if the VLAN is not assigned, all its traffic is bridged based on
the static VLAN membership port configuration.
The following devices support the multi-sessions mode without guest
VLAN and RADIUS-VLAN assignment:
- Sx500/ESW2-550X in Layer 3 router mode
- SG500X in basic and advanced hybrid stacking mode
- SG500XG

Multiple Authentication Methods

If more than one authentication method is enabled on the switch, the following
hierarchy of authentication methods is applied:
• 802.1x Authentication: Highest
• WEB-Based Authentication
• MAC-Based Authentication: Lowest
Multiple methods can run at the same time. When one method finishes
successfully, the client becomes authorized, the methods with lower priority are
stopped and the methods with higher priority continue.
When one of authentication methods running simultaneously fails, the other
methods continue.
22
486