Manualshelf

Specifications

ManualsBrandsEnterasys ManualsComputer equipmentMatrix E1 1H582-51
841842843844845846847848849850
Working with Security Configurations
MAC Authentication Overview
Matrix E1 Series (1G58x-09 and 1H582-xx) Configuration Guide 14-117
behavior is changed according to the authorized access policy and a session is started. If
unsuccessful, the forwarding behavior of the port remains unchanged.
If successful, the filter-id in the RADIUS response may contain a policy string of the form
policy=”policy name”. If the string exists and it refers to a currently configured access policy in this
switch, then the port receives this new policy. If authenticated, but the authorized policy is invalid
or non-existent, then the port forwards the frame normally according to the port default policy, if
one exists. Otherwise, frames are forwarded without any policy.
14.4.3.2 Concurrent Operation of 802.1X and MAC
Authentication
When both 802.1X (EAPOL) and MAC authentication are enabled on the same device, the switch
enforces a precedence relationship between MAC authentication and 802.1X methods. This
section defines the precedence rules to determine which authentication method has control over an
interface.
When both methods are enabled, and when a user is authenticated using the 802.1X method,
802.1X takes precedence over MAC authentication. If the port or MAC remains unauthenticated in
802.1X, then MAC authentication is active and may authenticate the next MAC address received
on that port.
MAC authentication and 802.1X can be configured to run concurrently on the same module, but
exclusively on distinct interfaces. To achieve this, the 802.1X port behavior in the
force-unauthorized state is overloaded by enabling both 802.1X and MAC authentication, setting
the 802.1X MIB to force-unauthorized for the interface in question, and enabling it for MAC
authentication. This allows MAC authentication to run unhindered by 802.1X on that interface by,
in effect, disabling all 802.1X control over it.
If a switch port is configured to enable both 802.1X and MAC authentication, then it is possible for
the switch to receive a start or a response 802.1X frame while a MAC authentication is in progress.
If this situation, the switch immediately aborts MAC authentication. The 802.1X authentication
then proceeds to completion. After the 802.1X login completes, the user has either succeeded and
gained entry to the network, or failed and is denied access to the network. After the 802.1X login
attempt, no new MAC authentication logins occur on this port until:
A link is toggled.
NOTE: Port Web Authentication (PWA) cannot be enabled if either MAC authentication
or EAPOL (802.1X) is enabled. For information on configuring PWA as an alternative
authentication method, refer to Section 14.3.5.