5.2.2 Coexistence in the same port
This section describes, for the following categories, the combinations of authentication mode that the Switch supports when using multiple Layer 2 authentication strategies simultaneously on a single port:
-
Fixed VLAN mode
-
Dynamic VLAN mode
-
Fixed VLAN mode and dynamic VLAN mode
-
Legacy mode
- <Structure of this section>
(1) Coexistence of Fixed VLAN Modes on the Same Port
|
Port type |
IEEE802.1X |
Web Authentication (fixed VLAN mode) |
MAC-based Authentication (fixed VLAN mode) |
|
---|---|---|---|---|
Port-based authentication |
VLAN-based authentication (static) |
|||
Access port |
OK #1 |
- |
OK |
OK |
- |
OK |
OK |
OK |
|
Channel group port (access port) |
OK |
NG |
- |
- |
- |
OK |
- |
- |
|
Trunk port |
- |
OK #2 |
OK |
OK |
Channel group port (trunk port) |
- |
OK #2 |
- |
- |
All other cases |
- |
- |
- |
- |
- Legend
-
OK: Supported
NG: Not supported, but can be specified in the device configuration
-:Cannot be set in the configuration
- Note #1
-
You must use terminal authentication mode if you set up IEEE 802.1X port-based authentication for a port that has Web authentication and MAC-based authentication configured. (Do not use single-terminal or multiple-terminal mode.)
Omit the following configuration commands:
dot1x force-authorized-port
dot1x port-control force-authorized
dot1x port-control force-unauthorized
dot1x multiple-hosts
- Note #2
-
When VLANs that do and do not require authentication are assigned to the same port, terminals connected to that port will be unable to access the non-authenticating VLANs. You can overcome this limitation by using the authentication-exempted port option.
- Example of interpreting interoperability tables:
-
When the connection target is an access port, you can use IEEE 802.1X port-based authentication, Web authentication (fixed VLAN mode), and MAC-based authentication (fixed VLAN mode) concurrently on the same port. Alternatively, you can use IEEE 802.1X VLAN-based authentication (static), Web authentication (fixed VLAN mode), and MAC-based authentication (fixed VLAN mode) on the same port.
(2) Coexistence of Dynamic VLAN Modes on the Same Port
|
Port type |
IEEE802.1X VLAN-based authentication (dynamic) |
Web Authentication (dynamic VLAN mode) |
MAC-based Authentication (dynamic VLAN mode) |
---|---|---|---|
MAC port |
OK |
OK |
OK |
All other cases |
NG |
NG |
NG |
Legend: OK: Operable; NG: Inoperable
(3) Coexistence of dynamic VLAN mode and fixed VLAN mode on the same port
|
Port type |
Type of received frames |
IEEE802.1X |
Web Authentication |
MAC-based Authentication |
|||
---|---|---|---|---|---|---|---|
VLAN-based authentication (static) |
VLAN-based authentication (dynamic) |
Fixed VLAN mode |
Dynamic VLAN mode |
Fixed VLAN mode |
Dynamic VLAN mode |
||
MAC port configured with dot1q |
Tagged frame |
OK #1 |
NG |
NG |
NG |
OK |
NG |
Untagged frame |
NG |
OK |
OK #2 |
OK |
OK #2 |
OK |
Legend: OK: Operable; NG: Inoperable
- Note #1
-
When VLANs that do and do not require authentication are assigned to the same port, terminals connected to that port will be unable to access the non-authenticating VLANs. You can overcome this limitation by using the authentication-exempted port option.
- Note #2
-
When using RADIUS authentication, if the RADIUS server does not indicate which VLAN a terminal should attach to after authentication, the terminal attaches to the native VLAN as a member of a fixed VLAN. However, when a terminal is moved to a different port, the destination port operates in dynamic VLAN mode.
(4) Coexistence of Legacy Mode on the Same Port
Port type |
IEEE802.1X VLAN-based authentication (dynamic) |
Web Authentication (legacy mode) |
MAC-based Authentication (all modes) |
---|---|---|---|
MAC port |
OK |
OK |
NG |
All other cases |
NG |
NG |
NG |
Legend: OK: Operable; NG: Inoperable