5.3.3 Forced authentication

Ports for which the authentication force-authorized enable command is configured consider all login requests to be successful in the following circumstances:

• RADIUS authentication is specified but there is no response from the designated RADIUS server

• Local authentication is specified, but no authentication data exists on the device:

  • For Web authentication, this means that no users are registered in the internal Web authentication DB.

  • For MAC-based authentication, this means that no MAC addresses are registered in the internal MAC-based authentication database.

Users subject to forced authentication are treated the same as normal authenticated users for the duration of the authentication session. The following table describes the authentication modes that support forced authentication:

Table 5-10: Authentication modes in which forced authentication operates

Functionality	IEEE802.1X		Web Authentication		MAC-based Authentication
	Fixed VLAN mode	Dynamic VLAN mode	Fixed VLAN mode	Dynamic VLAN mode	Fixed VLAN mode	Dynamic VLAN mode
Forced authentication	NG	NG	OK	OK #	OK	OK #

Notes on configuring forced authentication:

Because forced authentication can pose a security risk, consider the implications carefully before using it.

Example: When using a RADIUS server for MAC-based authentication

When Web authentication and MAC-based authentication are both configured for a port in force-authorized mode and a RADIUS server is set up for MAC-based authentication, if communication with the RADIUS server fails for some reason, forced authentication comes into operation. In this case, terminals subject to Web authentication will be permitted access without going through the Web authentication process.