4-8
Web and MAC Authentication
How Web and MAC Authentication Operate
2. If there is no RADIUS-assigned VLAN, then, for the duration of the client 
session, the port belongs to the Authorized VLAN (auth-vid if configured) 
and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member of a 
statically configured, port-based VLAN, then the port remains in this 
VLAN. 
4. If neither 1, 2, or 3, above, apply, then the client session does not have 
access to any statically configured, untagged VLANs and client access is 
blocked.
The assigned port VLAN remains in place until the session ends. Clients may 
be forced to reauthenticate after a fixed period of time (reauth-period) or at 
any time during a session (reauthenticate). An implicit logoff period can be set 
if there is no activity from the client after a given amount of time (logoff-period). 
In addition, a session ends if the link on the port is lost, requiring reauthenti-
cation of all clients. Also, if a client moves from one port to another and client 
moves have not been enabled (addr-moves) on the ports, the session ends and 
the client must reauthenticate for network access. At the end of the session 
the port returns to its pre-authentication state. Any changes to the port’s VLAN 
memberships made while it is an authenticated port take affect at the end of 
the session.
A client may not be authenticated due to invalid credentials or a RADIUS 
server timeout. The server-timeout parameter sets how long the switch waits 
to receive a response from the RADIUS server before timing out. The max-
requests parameter specifies how many authentication attempts may result in 
a RADIUS server timeout before authentication fails.   The switch waits a 
specified amount of time (quiet-period) before processing any new authenti-
cation requests from the client.
Network administrators may assign unauthenticated clients to a specific 
static, untagged VLAN (unauth-vid), to provide access to specific (guest) 
network resources. If no VLAN is assigned to unauthenticated clients the port 
remains in its original VLAN configuration. Should another client successfully 
authenticate through that port any unauthenticated clients are dropped from 
the port.