10.2.1 Fixed VLAN

Prior to authentication, a terminal does not appear in the MAC address table and is unable to access the VLAN associated with the interface to which it is attached. If authentication succeeds, the switch adds the terminal's MAC address to the MAC address table, thus permitting access to the VLAN.

In the Switch, you can configure authentication at the following ports:

Access port
Trunk port

Tagged and untagged frames that enter a trunk port are handled as follows:

Tagged frames are forwarded to the VLAN indicated by the VLAN tag after successful authentication
Untagged frames are forwarded to the native VLAN after successful authentication

Figure 10-1: Handling Tagged and Untagged Frames

For a device to have access to the pre-authentication VLAN, you need to make sure that the authentication IPv4 access list contains the necessary filter conditions.

<Structure of this section>

(1) Local authentication method

In local authentication, the switch compares the source MAC address of frames received at a MAC-based authentication port against the MAC addresses registered in the internal MAC-based authentication DB. If the source MAC address matches an entry in the database, authentication is successful and the device is permitted to access the network.

Figure 10-2: Configuration of the local authentication method in fixed VLAN mode

Local authentication can be based on the MAC address only, or on a combination of MAC address and VLAN ID. You can use the mac-authentication vlan-check configuration command to specify which method the switch uses.

The following table describes the conditions for performing RADIUS authentication based on a combination of MAC address and VLAN ID.

Table 10-1: VLAN ID verification of the local authentication method in fixed VLAN
Configuration command settings	Does the internal MAC-based authentication DB contain VLAN ID data?
Configuration command settings	Set	Not set
Set	Authentication is successful if the MAC address and VLAN ID both match.	Authentication is successful if the MAC address matches.
Not set	Authentication is successful if the MAC address matches.	Authentication is successful if the MAC address matches.

(2) RADIUS authentication-method

In RADIUS authentication, the switch submits the source MAC address of frames received at a MAC-based authentication port to the RADIUS server for authentication. If the source MAC address matches an entry on the server, authentication is successful and the device is permitted to access the network.

Figure 10-3: Configuration of RADIUS authentication-method for fixed VLAN

RADIUS authentication can be based on the MAC address only, or on a combination of MAC address and VLAN ID. You can use the mac-authentication vlan-check configuration command to specify which method the switch uses.

The following table describes the conditions for performing RADIUS authentication based on a combination of MAC address and VLAN ID.

Table 10-2: VLAN ID verification of RADIUS authentication-method in fixed VLAN
Configuration command settings	Operation
Set	Authentication is successful if the MAC address and VLAN ID both match.
Not set	Authentication is successful if the MAC address matches.

You can use the mac-authentication password configuration command to set the password that the Switch uses when submitting an authentication request to the RADIUS server. If you omit this command, the Switch uses the device's MAC address as the password.