The Port Based Authenticationpagecontains fields for configuring port based authentication and for enabling Guest VLANs. To open the Port Based Authentication page, click Switch → Network Security
→ Port Based Authentication.
Figure 7-1. Port Based Authentication
• Port Based Authentication State — Permits port based authentication on the device. The possible field values are:
– Enable — Enables port based authentication on the device.
– Disable — Disables port based authentication on the device.
• Authentication Method — The Authentication method used. The possible field values are:
– None — No authentication method is used to authenticate the port.
– RADIUS — Port authentication is performed using the RADIUS server.
– RADIUS, None — Port authentication is performed first using the RADIUS server. If the port is not authenticated, then no authentication method is used, and the session is permitted.
• Guest VLAN — Specifies whether the Guest VLAN is enabled on the device. The possible field values are:
– Enable — Enables using a Guest VLAN for unauthorized ports. If a Guest VLAN is enabled, the unauthorized port automatically joins the VLAN selected in the VLAN List field.
– Disable — Disables using a Guest VLAN for unauthorized ports. This is the default.
• VLAN List — When Guest VLAN is enabled, this field specifies which VLAN the guest will belong to.
• Interface — Contains an interface list.
• User Name — The user name as configured in the RADIUS server.
• Admin Interface Control — Defines the port authorization state. The possible field values are:
– Auto — Enables port-based authentication on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client.
– ForceAuthorized — Indicates the interface is in an authorized state without being authenticated.
The interface re-sends and receives normal traffic without client port-based authentication.
– ForceUnauthorized — Denies the selected interface system access by moving the interface into unauthorized state. The device cannot provide authentication services to the client through the interface.
• Current Interface Control — The currently configured port authorization state.
• Authentication Type — Specifies the type of authentication on the port. The possible field values are:
– 802.1x Only — Sets the authentication type to 802.1x based authentication only.
– MAC Only — Sets the authentication type to MAC based authentication only.
– 802.1x & MAC — Sets the authentication type to 802.1x based authentication and MAC based authentication.
• Dynamic VLAN Assignment — Indicates whether dynamic VLAN assignment is enabled for this port.
This feature allows network administrators to automatically assign users to VLANs during the RADIUS server authentication. When a user is authenticated by the RADIUS server, the user is automatically joined to the VLAN configured on the RADIUS server.
– Port Lock and Port Monitor should be disabled when DVA is enabled.
– Dynamic VLAN Assignment (DVA) can occur only if a RADIUS server is configured, and port authentication is enabled and set to 802.1x multi-session mode.
– If the Radius Accept Message doesn’t contain the supplicant’s VLAN, the supplicant is rejected.
– Authenticated ports remain unauthenticated VLAN and Guest VLAN members. Static VLAN configuration is not applied to the port.
– The following list of VLANs cannot participate in DVA: an Unauthenticated VLAN, a Dynamic VLAN that was created by GVRP, a Voice VLAN, a Default VLAN and a Guest VLAN.
– Network administrators can delete the supplicant VLAN while the supplicant is logged in. The supplicant is authorized during the next re-authentication if this supplicant VLAN is re-created or a new VLAN is configured on the RADIUS server.
• Guest VLAN — Specifies whether the Guest VLAN is enabled on the interface.
• Periodic Reauthentication — Reauthenticates the selected port periodically, when enabled. The reauthentication period is defined in the Reauthentication Period (300-4294967295)field.
• Reauthentication Period (300-4294967295) — Indicate the time span in which the selected port is reauthenticated. The field value is in seconds. The field default is 3600 seconds.
• Reauthenticate Now — Permits immediate port reauthentication, when selected.
• Authentication Server Timeout (1-65535) — Defines the amount of time that lapses before the device resends a request to the authentication server. The field value is in seconds. The field default is 30 seconds.
• Resending EAP Identity Request (30-65535) — Defines the amount of time that lapses before EAP request are resent. The field default is 30 seconds.
• Quiet Period (0-65535) — The number of seconds that the device remains in the quiet state following a failed authentication exchange. The possible field range is 0-65535. The field default is 60 seconds.
• Supplicant Timeout (1-65535) — The amount of time that lapses before EAP requests are resent to the user. The field value is in seconds. The field default is 30 seconds.
• Max EAP Requests (1-10) — The total amount of EAP requests sent. If a response is not received after the defined period, the authentication process is restarted. The field default is 2 retries.
Displaying the Port Based Authentication Table 1 Display the Port Based Authentication page.
2 Click Show All.
The Port Based Authentication Table opens:
Figure 7-2. Port Based Authentication Table
Termination Cause — The reason for which the port authentication was terminated.
Copy To Checkbox — Copies port parameters from one port to the selected ports.
Select All — Selects all ports in the Port Based Authentication Table.
Copying Parameters in the Port Based Authentication Table 1 Open the Port Based Authentication page.
2 Click Show All.
The Port Based Authentication Table opens.
3 Select the interface in the Copy Parameters from field.
4 Select an interface in the Port Based Authentication Table.
5 Select the Copy tocheck box to define the interfaces to which the Port based authentication parameters are copied.
6 Click Apply Changes.
The parameters are copied to the selected port in the Port Based Authentication Table, and the device is updated.