12.1.2 Support function
- <Structure of this section>
(1) Combination of Authentication Functions That Run Multi-Step Authentication and the Authentication Mode
You can use two combinations of IEEE802.1X authentication, Web authentication, and MAC authentication. For details about authentication combinations and authentication modes, see 5.1.1 Layer 2 authentication types.
(2) Multistep Authentication Options
Multi-step authentication includes basic multi-step authentication without option settings and option settings, which are set in the configuration command authentication multi-step. The following table describes the options for multi-step authentication.
|
Terminal authentication |
User authentication |
Option type (Configuration*) |
Operational overview |
|---|---|---|---|
|
MAC-based Authentication |
IEEE802.1X or Web authentication |
Basic multi-step authentication (no parameter) |
User authentication can be performed only when terminal authentication is successful. |
|
User authentication authorization options (permissive parameter) |
User authentication can be performed even if terminal authentication fails. |
||
|
IEEE802.1X or MAC-based authentication |
Web Authentication |
Terminal authentication dot1x Optional (dot1x parameter) |
User authentication can be performed only when terminal authentication is successful. |
- #
-
Can be specified for each port.
(3) Authentication method
Multi-step authentication supports only RADIUS authentication method. For terminal authentication, when RADIUS servers receive Access-Accept, the authentication operation is determined by Filter-Id or Tunnel-Private-Group-ID character string. The following table describes the text strings that are set for the attribute names used for multi-step authentication and the corresponding authentication behavior.
|
Attribute-name (Type) |
Types of RADIUS servers |
Character string |
Authentication operation |
|---|---|---|---|
|
Filter-Id (11) |
RADIUS servers for terminal authentication |
@@1X-Auth@@ |
Authenticate IEEE802.1X as user authentication. |
|
@@Web-Auth@@ |
Authenticate Web as user authentication. |
||
|
@@MultiStep@@ |
Perform Web or IEEE802.1X authentication as user authentication. |
||
|
Blank (Filter-Id not set) or another character string*1 |
Authentication succeeds with terminal authentication only (single authentication). |
||
|
RADIUS servers for user authentication |
@@MAC-Auth@@ |
Used when user authentication authorization option is set. Do not allow user authentication when terminal authentication fails. |
|
|
Blank (Filter-Id not set) or another character string*1 |
Used when user authentication authorization option is set. Authorizes user authentication even if terminal authentication fails. |
||
|
Tunnel-Private-Group-ID (81) |
RADIUS servers for terminal authentication |
Character string to identify VLAN *2 |
Used for dynamic VLAN. Specifies VLAN to which the terminal that was successfully authenticated belongs. |
|
RADIUS servers for user authentication |
Character string to identify VLAN *2 |
Used for dynamic VLAN. Specifies VLAN to which the terminal that successfully authenticated the user belongs. |
- #1
-
If you use any other character string, do not include the character string used for multi-step authentication (for example, "@@1X-Auth@@"). The Switch does not recognize it as another character string.
- #2
-
For information about what you specify for strings, see Tunnel-Private-Group-ID used for authentication in IEEE802.1X Authentication, Web Authentication, and MAC Authentication descriptions.