Web and MAC Authentication
Web and MAC Authentication includes the following:
On a port configured for Web or MAC Authentication, the switch
operates as a port-access authenticator using a RADIUS server and
CHAP (Challenge Handshake AuthenticationProtocol). Inbound
traffic is processed by the switch alone, until authentication occurs.
Some traffic from the switch is available to an unauthorized client (for
example, broadcast or unknown destination packets) before authen-
Proxy servers may not be used by browsers accessing the switch
through ports using Web Authentication.
You can optionally configure the switch to temporarily assign "autho-
rized" and "unauthorized" VLAN memberships on a per-port basis to
provide different services and access to authenticated and unauthen-
Web pages for username and password entry and the display of
authorization status are provided when using Web Authentication.
You can use the RADIUS server to temporarily assign a port to a static
VLAN to support an authenticated client. When a RADIUS server
authenticates a client, the switch-port membership during the client's
connection is determined according to the following hierarchy:
A RADIUS-assigned VLAN
An authorized VLAN specified in the Web- or MAC-Auth configuration
for the subject port.
A static, port-based, untagged VLAN to which the port is configured.
A RADIUS-assigned VLAN has priority over switch-port membership
in any VLAN.
You can allow wireless clients to move between switch ports under
Web/MAC Authentication control. Clients may move from one Web
authorized port to another or from one MAC authorized port to
another. This capability allows wireless clients to move from one
access point to another without having to reauthenticate.
Unlike 802.1X operation, clients do not need supplicant software for
Web or MAC Authentication; only a Web browser (for Web Authenti-
cation) or a MAC address (for MAC Authentication).
You can use "Show" commands to display session status and port-
access configuration settings.