Web-Based, MAC-Based, and 802.1X Authentication
Authentication is handled as a web-based process, MAC-based process, or as described in the IEEE 802.1X specification.

Note
When both HTTP and HTTPS are enabled on the switch and sending HTTP requests from the Netlogin client, HTTPS takes preference and the switch responds with a HTTPS response.MAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measures, for example an IP phone.
If a MAC address is detected on a MAC-based enabled network login port, an authentication request is sent once to the AAA application. AAA tries to authenticate the MAC address against the configured Remote Authentication Dial In User Server (RADIUS) server and its configured parameters (timeout, retries, and so on) or the configured local database.
The credentials used for this are the supplicant‘s MAC address in ASCII representation and a locally configured password on the switch. If no password is configured, the MAC address is also used as the password. You can also group MAC addresses together using a mask (configure netlogin add mac-list [mac {mask} | default] {encrypted {encrypted_password | password} {ports port_list} ).
DHCP is required for web-based network login because the underlying protocol used to carry authentication request-response is HTTP. The client requires an IP address to send and receive HTTP packets before the client is authenticated; however, the only connection that exists is to the authenticator. As a result, the authenticator must be furnished with a temporary DHCP server to distribute the IP address.
The switch responds to DHCP requests for unauthenticated clients when DHCP parameters such as dhcp-address-range and dhcp-options are configured on the network login VLAN. The switch can also answer DHCP requests following authentication if DHCP is enabled on the specified VLAN. If network login clients are required to obtain DHCP leases from an external DHCP server elsewhere on the network, DHCP should not be enabled on the VLAN.
Warning: DHCP server configuration will not be saved for netlogin-enabled ports: 1 After reboot/port removal the dhcp config should be reconfigured again
The DHCP allocation for network login has a short time duration of 10 seconds and is intended to perform web-based network login only. The Netlogin lease timer can be extended using the command: configure vlan vlan_name netlogin-lease-timer seconds . As soon as the client is authenticated, it is deprived of this address. The client must obtain an operational address from another DHCP server in the network. DHCP is not required for 802.1X, because 802.1X uses only Layer 2 frames (EAPOL) or MAC-based network login.
URL redirection (applicable to web-based mode only) is a mechanism to redirect any HTTP request to the base URL of the authenticator when the port is in unauthenticated mode. In other words, when the user tries to log in to the network using the browser, the user is first redirected to the network login page. Only after a successful login is the user connected to the network. URL redirection requires that the switch is configured with a DNS client.
Web-based, MAC-based, and 802.1X authentication each have advantages and disadvantages, as summarized in Advantages of Web-Based Authentication.
Advantages of Web-Based Authentication:
-
Works with any operating system that is capable of obtaining an IP address using DHCP. There is no need for special client side software; only a web browser is needed.
Disadvantages of Web-Based Authentication:
- The login process involves manipulation of IP addresses and must be done outside the scope of a normal computer login process. It is not tied to a Windows login. The client must bring up a login page and initiate a login.
- Supplicants cannot be re-authenticated transparently. They cannot be re-authenticated from the authenticator side.
- This method is not as effective in maintaining privacy protection.
Advantages of MAC-Based Authentication:
- Works with any operating system or network enabled device.
- Works silently; the user, client, or device does not know that it gets authenticated.
- Ease of management - set of devices can easily be grouped by the vendor part of the MAC address.
Disadvantages of MAC-Based Authentication:
- Security is based on the MAC address of the client, so the network is more vulnerable to spoofing attacks.
Advantages of 802.1X Authentication:
- In cases where the 802.1X is natively supported, login and authentication happens transparently.
- Authentication happens at Layer 2. It does not involve getting a temporary IP address and subsequent release of the address to obtain a permanent IP address.
- Allows for periodic, transparent re-authentication of supplicants.
Disadvantages of 802.1X Authentication:
-
802.1X native support is available only on newer operating systems, such as Windows 7 or Windows 8.
- 802.1X requires an EAP-capable RADIUS Server. Most current RADIUS servers support EAP, so this is not a major disadvantage.
- Transport Layer Security (TLS) and Tunneled TLS (TTLS) authentication methods involve Public Key Infrastructure (PKI), which adds to the administrative requirements.