5.2.3 Priority of authentication when Layer 2 authentication is used together
- <Structure of this section>
(1) Prioritizing authentication when IEEE802.1X coexists with Web authentication or MAC authentication
If a terminal that has undergone successful Web or MAC-based authentication later completes IEEE 802.1X port-based or VLAN-based (static) authentication, the result of the IEEE 802.1X process takes priority. In this case, the terminal loses the authentication status it gained by Web or MAC-based authentication. Users who performed Web authentication will not be presented with a logout page.
The figure below illustrates a situation where an IEEE 802.1X-authenticated terminal (having undergone port-based authentication in terminal authentication mode or VLAN-based authentication in static mode) is moved from one hub (HUB#1) to another hub (HUB#2) attached to a different port. Here, the user will be unable to log in using Web or MAC-based authentication (in fixed VLAN mode) without first canceling the IEEE 802.1X authentication status. To do so, use the clear dot1x auth-state command.
|
|
![[Figure Data]](./GRAPHICS/ZU250040.GIF)
If this same terminal successfully undergoes Web authentication (dynamic VLAN mode or legacy mode) or MAC-based authentication (dynamic VLAN mode), and then later completes IEEE 802.1X VLAN-based (dynamic) authentication, the result of the IEEE 802.1X process takes priority. In this case, the terminal will be attached to the VLAN specified in the IEEE 802.1X configuration, and lose the authentication status it gained by Web or MAC-based authentication. Users who performed Web authentication will not be presented with a logout page.
(2) Prioritizing authentication when Web authentication and MAC authentication coexist
If a terminal that has successfully undergone MAC-based authentication then attempts Web authentication, the Web authentication will fail. Similarly, if a Web-authenticated terminal subsequently attempts MAC-based authentication, the authentication process will end in an error and the Web authentication status will remain in effect.