User's Manual
47 | Wireless configuration HP Cloud Network Manager | User Guide
n MAC authentication precedes 802.1X authentication - The administrators can enable MAC authentication
for 802.1X authentication. MAC authentication shares all authentication server configurations with 802.1X
authentication. If a wireless or wired client connects to the network, MAC authentication is performed first. If
MAC authentication fails, 802.1X authentication is not triggered. If MAC authentication is successful,
802.1X authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X
authentication role. If 802.1X authentication fails, the client is assigned a deny-all role or mac-auth-only
role.
n MAC authentication only role - Allows you to create a mac-auth-only role to allow role-based access rules
when MAC authentication is enabled for 802.1X authentication. The mac-auth-only role is assigned to a
client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication
is successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily
used for wired clients.
n L2 authentication fall-through - Allows you to enable the l2-authentication-fallthrough mode. When this
option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is
disabled, 802.1X authentication is not allowed. The l2-authentication-fallthrough mode is disabled by
default.
For more information on configuring an AP to use MAC + 802.1X Authentication, see Configuring MAC
authentication with 802.1X authentication on page 53.
l Captive Portal β Captive portal authentication is used for authenticating guest users. For more information on
captive portal authentication, see Captive portal for guest access on page 56.
l MAC authentication with Captive Portal authenticationβThis authentication method has the following
features:
n If the captive portal splash page type is Internal-Authenticated or External-RADIUS Server, MAC
authentication reuses the server configurations.
n If the captive portal splash page type is Internal-Acknowledged or External-Authentication Text and
MAC authentication is enabled, a server configuration page is displayed.
n If the captive portal splash page type is none, MAC authentication is disabled.
n You can configure the mac-auth-only role when MAC authentication is enabled with captive portal
authentication.
For more information configuring an AP to use MAC and captive portal authentication, see Configuring MAC
authentication with captive portal authentication on page 54.
l 802.1X authentication with Captive Portal authentication β This authentication mechanism allows you to
configure different captive portal settings for clients on the same SSID. For example, you can configure an
802.1x SSID and create a role for captive portal access, so that some of the clients using the SSID derive the
captive portal role. You can configure rules to indicate access to external or internal captive portal, or none. For
more information on configuring captive portal roles for an SSID with 802.1x authentication, see Configuring
captive portal roles for an SSID on page 63.
l WISPr authenticationβWireless Internet Service Provider roaming (WISPr) authentication allows a smart
client to authenticate on the network when they roam between wireless Internet Service Providers (ISPs), even
if the wireless hotspot uses an ISP with whom the client may not have an account.
If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the
internet at that hotspot, the WISPr AAA server configured for the ISP authenticates the client directly and
allows the client to access the network. If the client only has an account with a
partner
ISP, the WISPr AAA
server forwards the credentials of the client to the WISPr AAA server of the partner ISP for authentication.
When the client is authenticated on the partner ISP, it is also authenticated on hotspot of your ISP as per their
service agreements. The AP assigns the default WISPr user role to the client when your ISP sends an