>Yes that's how I thought it worked. I guess that's ok in some situations >but it's really inflexible in others. > >HP ProCurve switches allow you to enable both methods of authentication >together on the same port. It's a little weird how it operates, but it >seems to work very well in most situations. > >When a device connects to the port the switch starts sending EAP >Identity Request packets. If the device responds with an EAP Identity >Response and successfully completes 802.1X based authentication, the >port goes into an open state with the PVID set to the VLAN assigned in >the Access-Accept packet. > >If the device does not respond to the Identity request (or fails 802.1X >authentication) and starts sending non eapol frames to the port, the >switch writes the src mac of the device into the User-Name field and >sends a Access-Request packet to the RADIUS server. >If the RADIUS server responds to the Access-Request with an >Access-Accept packet and a VLAN assignment, the PVID is changed to that >VLAN. If the server responds with an Access-Reject, the port either >remains closed, or if you have an Unauth-Vid configured for Mac-Based >auth the PVID is changed to that. > >If the port is in the unauth state or is authenticated via Mac-Based >authentication, the switch will continue to send EAP Identity Requests. >If at any point the device initiates 802.1X authentication and succeeds >in authenticating, the PVID of the port will change to the one assigned >in 802.1X authentication. > >If the device then sends an EAPOL-Logoff packet the switch will then >attempt to re-authenticate the device using Mac-Based authentication. >
I found the flowchart for Cisco: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/122_25_see/configuration/guide/sw8021x.html#wp1170407 Main difference is that it will not attempt mac auth if 802.1x fails. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
