Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


About the Authentication Profiles Page


To access this page, select Configuration > SD-LAN > Authentication Profiles in Customer Portal.

Use this page to view, clone, edit, and delete authentication profiles. An authentication profile enables you to define parameters to authenticate a user. You can define the following parameters in an authentication profile—the authentication method, fallback options, and other settings (for example, number of retries, maximum number of requests that can be allowed, and authentication server timeout) related to the communication between the switch and a supplicant.

Tasks You Can Perform

You can perform the following tasks from this page:

  • Add an authentication profile—See Add Authentication Profiles.

  • Edit, clone, or delete an authentication profile—See Edit, Clone, and Delete an Authentication Profile.

  • Clear the selected authentication profiles—Click Clear All Selections to clear any authentication profiles that you might have selected.

  • Search for authentication profiles using keywords—Click the search icon and enter the search term in the text box and press Enter. The search results are displayed on the same page.

Field Descriptions

Table 1 describes the fields on the Authentication Profiles page.

Table 1: Authentication Profiles Page Fields



Profile Name

Name of the authentication profile.


A description about the authentication profile.

Supplicant Mode

The mode of authenticating supplicants:

  • Single—Authenticates only the first supplicant in a LAN. All other supplicants in the LAN that connect later to the port are allowed access without any further authentication, based on the first supplicant’s authentication.

  • Single Secure—Allows only one supplicant in a LAN to connect to the port. No other supplicant in the LAN is allowed to connect until the first supplicant logs out.

  • Multiple—Allows multiple supplicants in a LAN to connect to the port. Each supplicant is authenticated individually.

Primary Authentication Method

The primary method for authenticating a supplicant:

  • dot1x—IEEE 802.1X standard for port-based network access control (PBNAC); protects Ethernet LANs from unauthorized user access.

    The dot1x method blocks all traffic to and from a supplicant at the port until the supplicant’s credentials are presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch allows traffic from and to the supplicant to transmit through it.

  • MAC RADIUS—Used for network devices (such as a printer or a camera) connected in a LAN that needs to access network resources, but do not support the 802.1X standard.

    When a switch detects a supplicant that is not 802.1X-enabled on its port, the switch transmits the MAC address of the supplicant to the authentication server. The server then tries to match the MAC address with a list of MAC addresses in its database. If the MAC address matches an address in the list, the supplicant is authenticated.

Secondary Authentication Method

The secondary method for authenticating a supplicant when the switch is unable to validate a supplicant by using the primary method :

  • None

  • dot1x, when MAC RADIUS is set as the primary authentication method.

  • MAC RADIUS, when the dot1x method is set as the primary authentication method.

Server Fail

The action that the switch takes when the RADIUS servers are unavailable for authenticating a supplicant:

  • None—No action is taken. If network access is already granted to a supplicant, the access is maintained.

  • Deny—Network access is denied to the supplicant.

  • Permit—Network access is permitted to the supplicant. If a RADIUS server timeout occurs during reauthentication, traffic is allowed from and to the supplicant as the supplicant is already authenticated.

  • Use Cache—Recognizes already connected supplicants and reauthenticates the supplicant when there is a RADIUS server timeout (new supplicants are denied access):

  • VLAN ID—Moves a supplicant to a specified VLAN (server fail VLAN) if a RADIUS server timeout occurs:

Server Reject

The action the switch takes when the switch is unable to validate a supplicant because of incorrect credentials provided by the supplicant:

  • None—No action is taken and the supplicant is denied network access.

  • VLAN ID—Moves the supplicant to a specified VLAN (server reject VLAN) with limited network access (Internet only)


The action the switch takes for temporary users such as guests or contractors:

  • None—No action is taken and the supplicant is denied network access.

  • VLAN ID—Moves the supplicants to a specified VLAN (guest VLAN) with limited network access (Internet only)