6.2.1 Authentication mode
On the Switch, IEEE 802.1X defines three basic authentication modes and a further three sub-modes. The basic authentication mode dictates the level at which authentication is controlled, and the sub-mode specifies the manner in which authentication takes place. The Switch also provides options that can be configured for basic authentication modes and sub-modes. The following table describes the association between authentication modes and options.
Basic authentication modes |
Authentication sub-modes |
Authentication option |
---|---|---|
Port-based authentication |
Single-terminal mode |
- |
Multiple-terminal mode |
- |
|
Terminal authentication mode |
Authentication-exempted terminal option |
|
Option for restricting the number of terminals to be authenticated |
||
VLAN-based authentication (static) |
Terminal authentication mode |
Authentication-exempted terminal option |
Authentication-exempted port option |
||
Option for restricting the number of terminals to be authenticated |
||
VLAN-based authentication (dynamic) |
Terminal authentication mode |
Authentication-exempted terminal option |
Option for restricting the number of terminals to be authenticated |
||
Authentication default VLAN |
Legend:-: Not applicable
IEEE 802.1X as implemented on the Switch treats a channel group as a single aggregate port. In describing this functionality, the term port includes normal ports and channel groups.
- <Structure of this section>
(1) Basic authentication mode
This subsection describes the basic authentication modes supported on the Switch.
(a) Port-based authentication
In port-based authentication mode, IEEE 802.1X controls authentication at the physical port or channel group level. This is the default mode for IEEE 802.1X. This is the default mode for IEEE 802.1X. In this mode, the Switch cannot process EAPOL frames that use IEEE 802.1Q VLAN tagging and will discard any such frames it receives.
The following figure describes an example of a topology using port-based authentication:
|
(b) VLAN Units Authentication (Static)
In this mode, IEEE 802.1X controls authentication at the VLAN level. The Switch can process EAPOL frames that use IEEE 802.1Q VLAN tagging. Use this mode in configurations where an L2 switch that uses IEEE 802.1Q VLAN tagging to encapsulate frames is connected between the terminal and a Switch. Untagged EAPOL frames are assumed to belong to the native VLAN of the port.
The following figure describes an example of a topology using VLAN-based authentication (static):
|
(c) VLAN Units Authentication (Dynamic)
In this mode, IEEE 802.1X controls authentication at the level of terminals associated with a MAC VLAN. In this mode, the Switch cannot process EAPOL frames that use IEEE 802.1Q VLAN tagging and will process any such frames it receives in VLAN-based authentication (static) mode.
The specified trunk port or access port in the MAC VLAN is treated as an authentication-exempted port.
When a terminal is successfully authenticated, the Switch dynamically assigns a VLAN based on the VLAN information (the VLAN ID of a MAC VLAN) received from the RADIUS server.
The figures below describe an example of a configuration using VLAN-based authentication (dynamic), and illustrate its operation.
|
|
(2) Authentication submode
The sub-modes that you can apply to basic authentication modes are described below.
(a) Single mode
In single-terminal mode, only one terminal can be authenticated at a given interface. This is the default mode. If the Switch receives an EAP packet from another terminal, the port returns to the unauthorized state. The authentication sequence then resumes after the time period specified by the configuration command elapses.
(b) Multi mode
In multiple-terminal mode, you can attach multiple terminals to a single interface. However, only one of the attached terminals needs to be authenticated for all to be granted access. The Switch will ignore any EAP packets it receives from other terminals after the first terminal is authenticated.
(c) Terminal authentication mode
Terminal authentication mode allows you to attach multiple terminals to a single interface, but requires that each terminal (identified by source MAC address) be authenticated. In this mode, the Switch starts a new authentication sequence when it receives an EAP packet from a new terminal.
(3) Authentication mode option
This subsection describes the options you can configure for authentication modes and sub-modes.
(a) Authentication Exclusion Terminal Options
This option permits communication without authentication for the terminals whose MAC addresses have been configured by the static MAC address learning functionality and the MAC VLAN functionality. You can use this option to authorize devices such as printers that cannot operate as a supplicant, and specific terminals such as servers that do not need to be authenticated. This option is available only in terminal authentication mode.
The figure below describes an example of a VLAN-based authentication-exempted terminal (dynamic).
|
(b) Authentication Exclusion Port Options
This option permits communication without authentication for the terminals attached to specific physical ports or channel groups. You can use this option with VLAN-based authentication (static) to designate a non-authenticating port in an authenticating VLAN.
When multiple VLANs are set up at a port configured for VLAN-based authentication (static), the specified port will act as an authentication-exempted port for all of the VLANs.
The figure below describes an example of a VLAN-based authentication-exempted port (static).
|
(c) Authentication terminal limit option
This option allows you to restrict the maximum number of terminals that can be authenticated at a given authentication unit. It applies only in terminal authentication mode. The following table describes the values you can set for each authentication mode.
Authentication modes |
Initial value |
Minimum |
Maximum |
---|---|---|---|
Port-based authentication |
64 |
1 |
64 |
VLAN-based authentication (static) |
256 |
1 |
256 |
VLAN-based authentication (dynamic) |
1024 |
1 |
1024 |
(d) Authentication-defaults VLAN function
This functionality assigns a port VLAN to terminals that cannot obtain membership to a MAC VLAN due to a lack of IEEE 802.1X support or other circumstances. If a port VLAN or default VLAN is set up at a port configured for VLAN-based authentication (dynamic), that VLAN will serve as the authentication default VLAN. Terminals are attached to the authentication default VLAN in the following circumstances:
-
The terminal does not support IEEE 802.1X authentication
-
The terminal has not been authenticated by IEEE 802.1X
-
The terminal fails authentication or re-authentication
-
The VLAN ID returned by the RADIUS server does not correspond to a MAC VLAN