5.1.1 Layer 2 authentication type

The Switch supports the following functionality for authentication at the Layer 2 level:

IEEE802.1X

Provides user authentication conforming to the IEEE 802.1X standard. IEEE 802.1X authenticates terminals based on the successful exchange of EAPOL packets.
Web Authentication

Web authentication is a function that uses generic Web browsers to authenticate users. Authenticates users on terminals that can run an ordinary Web browser.
MAC-based Authentication

Authenticates devices such as printers that are not capable of providing user-initiated logons.

Several authentication modes are used in Layer 2 authentication. The table below provides an overview of Layer 2 authentication functionality by authentication mode.

Although some types of authentication functionality will work with other networking functionality, other types will not. For details about the feature combinations, see 5.2 Compatibility between Layer 2 authentication and other functionality.

Table 5-1: Functions supported by Layer 2 authentication
Layer 2 Authentication	Authentication modes	Overview
IEEE802.1X	Fixed VLAN mode	After successful authorization, you can communicate within VLAN. Fixed VLAN mode has the following three authentication submodes, which have different authentication operations: Single-terminal mode In this mode, only one terminal is authenticated and connected per authentication unit. When an authentication request arrives from another terminal on the same port, the port reverts to the unauthorized state. Multiple-terminal mode This mode allows multiple terminals to connect to the physical port or channel group. In this mode, only one of the attached terminals needs to be authenticated. Terminal authentication mode This mode allows multiple terminals to connect to the physical port or channel group.Each terminal is subject to authentication.
IEEE802.1X	Dynamic VLAN mode	After successful authentication, a terminal is permitted access to the VLAN assigned to its MAC address. In dynamic VLAN mode, there are two authentication submodes: single mode and terminal authentication mode.
Web Authentication	Fixed VLAN mode	A terminal is permitted access to the VLAN after successful user authentication.
Web Authentication	Dynamic VLAN mode	After successful user authentication, the terminal is permitted access to the VLAN associated with its MAC address. Authorization is enabled on the physical port where the MAC VLAN is configured.
MAC-based Authentication	Fixed VLAN mode	A terminal is permitted access to the VLAN after successful user authentication.
MAC-based Authentication	Dynamic VLAN mode	After successful authentication, a terminal is permitted access to the VLAN assigned to its MAC address.

The Switch can perform multi-step authentication that combines multiple authentication functions and performs two-step authentication. In multi-step authentication, the first level of authentication is called terminal authentication and the second level of authentication is called user authentication. In multi-step authentication, operation that allows authentication in two stages, terminal authentication and user authentication is called multi-step authentication, and operation that allows authentication only in a single authentication function is called single authentication.

The following table describes the combinations of authentication functions that can be used for terminal authentication and user authentication in multi-step authentication. When combining authentication functions, set the authentication mode to either fixed VLAN mode or dynamic VLAN mode.

Table 5-2: Combinations of authentication functions that can be used for terminal authentication and user authentication
Combination pattern	Terminal authentication	User authentication
Combining MAC and IEEE802.1X Authentication	MAC-based Authentication	IEEE802.1X certification*
Combining MAC and Web Authentication	MAC-based Authentication	Web Authentication
Combining IEEE802.1X and Web Authentication	IEEE802.1X certification*	Web Authentication

#: Set the terminal authentication mode in the authentication submode, and set auto for the terminal detection operation.