135
Triple authentication supporting VLAN assignment and Auth-Fail
VLAN configuration example
Network requirement
, the terminals are connected to a switch to access the IP network. It is required to
configure triple authentication on the Layer-2 interface of the switch which connects to the terminals, so
that a terminal passing one of the three authentication methods, 802.1X authentication, portal
authentication, and MAC authentication, can access the IP network. More specifically,
Portal terminals request IP addresses through DHCP. They obtain IP addresses in 192.168.1.0/24
before authentication and in 3.3.3.0/24 after passing authentication.
802.1X terminals use IP addresses in 192.168.1.0/24 before authentication, and request IP addresses
in 3.3.3.0/24 through DHCP after passing authentication. If the terminal fails authentication, it uses
an IP address in 2.2.2.0/24.
After passing authentication, the printer obtains the IP address 3.3.3.111/24 that is bound with its
MAC address through DHCP.
Use the remote RADIUS server to perform authentication, authorization, and accounting and
configure the switch to send usernames carrying no ISP domain names to the RADIUS server.
The local portal authentication server on the switch uses listening IP address 4.4.4.4. The switch
sends a default authentication page to the web user and forwards authentication data using HTTPS.
Configure VLAN 3 as the authorized VLAN on the RADIUS server. Users passing authentication are
added to this VLAN.
Configure VLAN 2 as the Auth-Fail VLAN on the access device. Users failing authentication are
added to this VLAN, and are allowed to access only the Update server.
Figure 46
Network diagram for triple authentication supporting VLAN assignment and Auth-Fail VLAN
IP network
RADIUS server
Switch
1.1.1.2/24
802.1X client
Printer
Web user
Update server
2.2.2.2/24
Vlan-int3
3.3.3.1
Vlan-int8
192.168.1.1/24
Vlan-int2
2.2.2.1/24
GE1/0/1
Vlan-int1
1.1.1.1
Configuration procedure