6.2.1 Authentication mode
In IEEE802.1X of the Switch, two basic authentication modes and three authentication submodes are provided below. The basic authentication mode dictates the level at which authentication is controlled, and the sub-mode specifies the manner in which authentication takes place. The Switch also provides options that can be configured for basic authentication modes and sub-modes. The following table describes the association between authentication modes and options.
Basic authentication modes |
Authentication sub-modes |
Authentication option |
---|---|---|
Fixed VLAN mode |
Single-terminal mode |
- |
Multiple-terminal mode |
- |
|
Terminal authentication mode |
Option for restricting the number of terminals to be authenticated |
|
Dynamic VLAN mode |
Single-terminal mode |
- |
Terminal authentication mode |
Option for restricting the number of terminals to be authenticated |
Legend:-: Not applicable
- <Structure of this section>
(1) Basic authentication mode
This subsection describes the basic authentication modes supported on the Switch.
(a) Fixed VLAN
Terminals that undergo successful authentication have their MAC addresses entered in the MAC address table and are permitted access to the VLAN. In fixed VLAN mode, you can configure the following ports as authenticated ports:
-
Access port
-
Trunk port
The following describes the handling of Tagged frames and Untagged frames that have entered a trunk port.
-
If the authentication frame is a Tagged frame, after successful authentication, communication can be performed using VLAN indicated in VLAN Tag.
-
If the authentication frame is a Untagged frame, communication can be performed using the native VLAN after successful authentication.
(b) Dynamic VLAN
Terminals that undergo successful authentication have their MAC addresses registered in a MAC VLAN. Terminals are given access to different VLANs before and after authentication.
When describing dynamic VLAN mode, the VLAN to which the terminal belongs prior to authentication is called the pre-authentication VLAN. The VLAN to which the terminal belongs after authentication is called the post-authentication VLAN. In dynamic VLAN mode, you can configure the following ports as authenticated ports:
-
MAC port
(2) Authentication submode
The sub-modes that you can apply to basic authentication modes are described below.
(a) Single mode
In single-terminal mode, only one terminal can be authenticated at a given interface. This is the default mode. If the Switch receives an EAP packet from another terminal, the port returns to the unauthorized state. The authentication sequence then resumes after the time period specified by the configuration command elapses.
(b) Multi mode
In multiple-terminal mode, you can attach multiple terminals to a single interface. However, only one of the attached terminals needs to be authenticated for all to be granted access. The Switch will ignore any EAP packets it receives from other terminals after the first terminal is authenticated.
(c) Terminal authentication mode
Terminal authentication mode allows you to attach multiple terminals to a single interface, but requires that each terminal (identified by source MAC address) be authenticated. In this mode, the Switch starts a new authentication sequence when it receives an EAP packet from a new terminal.
(3) Authentication mode option
This subsection describes the options you can configure for authentication modes and sub-modes.
(a) Authentication terminal limit option
This option allows you to restrict the maximum number of terminals that can be authenticated at a given authentication unit. It applies only in terminal authentication mode. The following table describes the values you can set for each authentication mode.
Authentication modes |
Initial value |
Minimum |
Maximum |
---|---|---|---|
Fixed VLAN mode Dynamic VLAN mode |
1024 |
1 |
1024 |