• Supported Platforms
• EX Series

• Related Topics
• Configuring Server Fail Fallback (CLI Procedure)
• Understanding Server Fail Fallback and Authentication on EX Series Switches
• Understanding Guest VLANs for 802.1X on EX Series Switches
• Understanding Authentication on EX Series Switches
• Understanding Dynamic VLANs for 802.1X on EX Series Switches

Authentication Process Flow for EX Series Switches

You can control access to your network through an EX Series switch by using several different authentication methods—802.1X, MAC RADIUS, or captive portal.

Figure 1 illustrates the authentication process:

The basic authentication process works like this:

1. Authentication is initiated by an end device sending an EAP request or a data packet.
2. If the MAC address of the end device is in the static MAC bypass list or the authentication whitelist, the switch accepts the end device without querying the authentication server and allows the end device to access the LAN.
3. If the MAC address is not in the static MAC bypass list or the authentication whitelist, the switch checks whether an authenticator statement is configured on the interface. If an authenticator is not configured, the switch checks for captive portal configuration—skip to Step 6.

   If an authenticator is configured:

   1. The switch checks whether the mac-radius restrict statement is configured on the interface. If mac-radius restrict is configured, the switch does not attempt 802.1X authentication—skip to Step 5. If it is configured, go on to Step 2.
   2. The switch sends either an EAP request (if the end device initiated contact with a data packet) or an EAP response (if the end device initiated contact with an EAPOL-start message).
   3. If there is no response, the switch tries sending an EAP request two more times.

      Note: You can configure both the maximum number of times an EAPOL request packet is retransmitted and the timeout period between attempts. See Configuring 802.1X Interface Settings (CLI Procedure).

   4. If the end device does not respond to the EAP messages sent by the switch, the switch checks for MAC RADIUS configuration—skip to Step 4. If it does respond, go on to step 5.
   5. When an EAP request is received from the end device, the switch sends an authentication request message to the authentication server.

      If the authentication server does not respond, the switch checks whether there is a server fail VLAN configured. If there is a server fail VLAN, the switch performs the configured server fail fallback operation. If there is no server fail VLAN, skip to Step 6.

   6. The authentication server sends an access-accept or access-reject message. If the authentication server sends an access-reject message, skip to Step 8.
4. If the end device does not respond to the EAP messages, the switch checks whether MAC RADIUS authentication is configured on the interface. If it is not configured, skip to Step 6.
5. If MAC RADIUS authentication is configured on the interface:
   1. The switch sends a MAC RADIUS authentication request to the authentication server. The switch sends only one such request.

      If the authentication server does not respond, the switch checks whether there is a server fail VLAN configured on the switch. If there is a server fail VLAN, the switch performs the configured server fail fallback operation. If there is no server fail VLAN, skip to Step 8.

   2. The authentication server sends an access-accept or access-reject message. If the authentication server sends an access-reject message, go on to Step 6.
6. If MAC RADIUS authentication is not configured on the interface or if the authentication server responds with an access-reject message for MAC RADIUS authentication, the switch checks whether captive portal is configured on the interface. If captive portal is not configured on the interface, skip to Step 8.
7. If captive portal authentication is configured on the interface:
   1. The switch sends a request to the user on the end device for captive portal authentication information.
   2. The switch sends the captive portal authentication information to the authentication server.
   3. The authentication server sends an access-accept or access-reject message.

      If the server sends an access-reject message, go on to Step 8.

   Note: If an end device is authenticated on the interface using captive portal, this becomes the active authentication method on the interface. When captive portal is the active authentication method, the switch falls back to 802.1X authentication if there are no sessions in the authenticated state and if the interface receives an EAP packet.

8. The switch checks whether there is a guest VLAN configured on the switch. If a guest VLAN is configured, the switch allows the end device limited access to the LAN.