12.1.3 Authentication operation
- <Structure of this section>
(1) Basic Multistep Authentication Port Behavior
For terminal authentication, when terminal authentication succeeds, user authentication is performed according to the text in RADIUS attribute Filter-Id, or authentication succeeds with single authentication. With user authentication, the user authentication succeeds regardless of RADIUS attribute Filter-Id.
(2) Authentication Operation for the User Authentication Authorization Option Port
The user authentication authorization option port provides authentication success in two main cases.
-
The first case is when authentication succeeds after terminal authentication and user authentication. At this time, the operation of terminal authentication and user authentication is the same as that of basic multi-step authentication. If multi-step authentication is required for the user authentication authorization option port, set RADIUS property Filter-Id for user authentication to @@MAC-Auth@. As a result, user authentication is not permitted when terminal authentication fails.
-
The second case is to allow user authentication even if terminal authentication fails. Note that you do not need to set RADIUS property Filter-Id for user authorization. In this case, user authentication is performed only during the period when the terminal authentication failure status (pending entry) exists (re-authentication time interval when MAC authentication fails). Use the configuration command mac-authentication auth-interval-timer to set the re-authentication interval when MAC authentication fails.
(3) Authentication operation for the terminal authentication dot1x optional port
With terminal authentication, user authentication can be performed according to the character string in RADIUS attribute Filter-Id when terminal authentication succeeds, or authentication can succeed with single authentication, but MAC authentication and IEEE802.1X can be used for terminal authentication. With user authentication, the user authentication succeeds regardless of RADIUS attribute Filter-Id.
If IEEE802.1X authentication is used for terminal authentication, the applicable terminal must not be registered as the target of MAC authentication in RADIUS servers used for terminal authentication.