Table of Contents
Advertisement
Web and MAC Authentication
Overview
4-4
support multiple client sessions in different VLANs for a network application,
design your system so that clients request network access on different switch
ports.)
In the default configuration, the switch blocks access to all clients that the
RADIUS server does not authenticate. However, you can configure an
individual port to provide limited network services and access to unauthorized
clients by using an "unauthorized" VLAN for each session. The unauthorized
VLAN ID assignment can be the same for all ports, or different, depending on
the services and access you plan to allow for unauthenticated clients.
You configure access to an optional, unauthorized VLAN when you configure
Web and MAC authentication on a port.
RADIUS-Based Authentication
In Web and MAC authentication, you use a RADIUS server to temporarily
assign a port to a static VLAN to support an authenticated client. When a
RADIUS server authenticates a client, the switch-port membership during the
client's connection is determined according to the following hierarchy:
1.
A RADIUS-assigned VLAN
2.
An authorized VLAN specified in the Web- or MAC-Auth configuration for
the subject port.
3.
A static, port-based, untagged VLAN to which the port is configured. A
RADIUS-assigned VLAN has priority over switch-port membership in any
VLAN.
Wireless Clients
You can allow wireless clients to move between switch ports under Web/MAC
Authentication control. Clients may move from one Web-authorized port to
another or from one MAC-authorized port to another. This capability allows
wireless clients to move from one access point to another without having to
reauthenticate.
Hide quick links:
Advertisement
Table of Contents
