Port Authentication Function

Port Authentication Function

1. Function Overview

Port authentication is a function that authenticates devices or users.
This authenticates a device connected to the LAN/SFP port, and permits LAN access only for devices that succeeded in authenticating.
Devices that are not yet authenticated or that failed to authenticate can be denied access to the LAN, or permitted to access only a specific VLAN.

image

2. Definition of Terms Used

IEEE 802.1X

The authentication standard used when connecting to the LAN.

Authenticator

A device or software that authenticates a supplicant connected to a LAN/SFP port.
It mediates between the supplicant and the authentication server, controlling access to the LAN according to the success or failure of authentication.

Supplicant

A device or software that connects to an authenticator and receives authentication.

Authentication server

A device or software that authenticates a supplicant that is connected via the authenticator.
This manages authentication information such as user names, passwords, MAC addresses, and associated VLANs.

EAP (Extended authentication protocol)

This is an authentication protocol that extends PPP, allowing various authentication methods to be used.
This is defined in RFC3748.

EAP over LAN (EAPOL)

This is a protocol for conveying EAP packets between the supplicant and the authenticator.

EAP over Radius

This is a protocol for conveying EAP packets between the authenticator and the authentication server (RADIUS server).

EAP-MD5 (Message digest algorithm 5)

Client authentication using user name and password.
This uses an MD5 hash value to authenticate.

EAP-TLS (Transport Layer Security)

This uses the digital certificates of the server and the client to authenticate.
With the transport layer encrypted, the digital certificates are exchanged and authenticated.
This is defined in RFC2716 and RFC5216.

EAP-TTLS (Tunneled TLS)

This is an extended version of EAP-TLS.
This uses the digital certificate of the server to establish a TLS communication route, and within this encrypted communication route uses a password to authenticate the client.
This is defined in RFC5281.

EAP-PEAP (Protected EAP)

The principle of operation is equivalent to EAP-TTLS (the only difference is the protocol inside the encrypted tunnel).
This uses the digital certificate of the server to establish a TLS communication route, and within this encrypted communication route uses a password to authenticate the client.

3. Function Details

The operating specifications for port authentication are shown below.
As port authentication functions, this product supports IEEE 802.1X authentication, MAC authentication, and Web authentication.
The following table shows the distinctive features of each authentication method.

MAC authentication IEEE 802.1X authentication Web authentication

Authenticated element

MAC address

User name and password (EAP-MD5, EAP-TTLS, EAP-PEAP)

User name and password

Authenticated object (supplicant)

Device

Device or user

Device or user

Functions needed by supplicant

None

IEEE 802.1X authentication function

Web browser

Operation when authenticating

None

User name and password entry (EAP-MD5, EAP-TTLS, EAP-PEAP)

User name and password entry

This product assumes a RADIUS server as the authentication server.

Note that the port authentication function of this product has the following limitations.

  • The number of supplicants that can be authenticated is one for each port in single host mode or multi host mode; for multi supplicant mode, the maximum is 512 for the entire system.

  • It cannot be used on a private VLAN port.

  • It cannot be used on a voice VLAN port.

  • If port authentication is enabled, a spanning tree topology change will occur according to the authentication result.
    If you want to avoid this, specify “spanning-tree edgeport” for the authentication port to which the supplicant will be connected.

  • Web authentication can be used only in the multi supplicant mode.

  • Web authentication cannot be used together with a guest VLAN.

  • When using the stack function, a file saved on the main switch is referenced as the Web Authentication screen customization file.

  • When using the stack function, if a member switch is added, the authentication information of the supplicant connected to the logical interface is cleared.

  • When using the stack function, if the main switch is demoted to a member switch status, authentication information is cleared from connected supplicants.

  • Trunk ports can only be used in the multi supplicant mode.

  • Trunk ports cannot use dynamic or guest VLANs.

  • If you also use the L2MS function on a trunk port, you must set the native VLAN to be provided.

  • If the following supplicant VLAN is changed by a dynamic VLAN, then the authentication function may not work properly.

    • DHCP server

    • L2MS compatible device

3.1. IEEE 802.1X authentication

IEEE 802.1X authentication uses EAP to authenticate in units of devices or users.
The supplicant receiving authentication must support IEEE 802.1X authentication.

This product operates as an authenticator that communicates with the supplicant via EAP over LAN and communicates with the RADIUS server via EAP over RADIUS.
The authentication process itself occurs directly between the supplicant and the RADIUS server.

As authentication methods, this product supports EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP.
The features of each authentication method are shown in the following table.

Client authentication method Server authentication method Ease of implementation Degree of safety

EAP-MD5

User name and password entry

No authentication

Easy

Low

EAP-TLS

Client certificate

Server certificate

Complex

High

EAP-TTLS

User name and password entry

Server certificate

Medium

Medium

EAP-PEAP

User name and password entry

Server certificate

Medium

Medium

Make settings for the supplicant and the RADIUS server as appropriate for the authentication method you use.

The basic procedure for IEEE 802.1X authentication is shown in the following diagram.
image

The supplicant is connected to the LAN, and transmits a communication start message (EAPOL-Start) message to start authentication.

When authentication succeeds, authentication success (Success) notification is sent to the supplicant, and the supplicant’s MAC address is registered in the FDB, permitting the supplicant to access the network.

If authentication fails, an authentication failure (Failure) notification is sent to the supplicant, and network access is denied for the supplicant.
(Even without authentication, it is possible to permit access to a specific VLAN if a guest VLAN has been specified.)

3.2. MAC authentication

MAC authentication uses the MAC address of a device to authenticate an individual device.
Since the supplicant does not need any special function to be authenticated, authentication is possible even for devices that do not support IEEE 802.1X.

The basic procedure for MAC authentication is shown in the following diagram.

image

When this product receives any Ethernet frame from the supplicant, it queries the RADIUS server with the supplicant’s MAC address as the user name and password.
EAP-MD5 is used as the authentication mode between this product and the RADIUS server.

When authentication succeeds, the supplicant’s MAC address is registered in the FDB, permitting the supplicant to access the network.
However, it can be registered as a static entry by specifying MAC authenticated static registration (using the auth-mac static command).

If authentication fails, the supplicant is denied network access.
(Even without authentication, it is possible to permit access to a specific VLAN if a guest VLAN has been specified.)

The supplicant’s MAC address must be registered as the user name and password in the RADIUS server, in one of the following formats.

  • XX-XX-XX-XX-XX-XX (hyphen delimited)

  • XX:XX:XX:XX:XX:XX (colon delimited)

  • XXXXXXXXXXXX (not delimited)

This product lets you use the auth-mac auth-user command to change the format of the MAC address query that is made to the RADIUS server.
Specify the appropriate command according to the format of the MAC addresses that are registered in the RADIUS server.

3.3. Web authentication

Web authentication is a function that authenticates a user when a user name and password are entered from the supplicant’s web browser.

HTTP is supported as the communication method between the web browser and the network switch.
Because web authentication performs authentication by communicating via HTTP, it is necessary for IP communication between this product and the supplicant to be possible even before authentication.
Either the DHCP server must assign an IP address to the supplicant, or the supplicant must specify an IP address statically.

Web authentication operates only in the multi supplicant mode.
Also, this cannot be used together with a guest VLAN.

The basic procedure for web authentication is shown in the following diagram.

image

This product queries the RADIUS server using the user name and password that were entered in the supplicant’s web browser.
EAP-MD5 is used as the authentication mode between this product and the RADIUS server.

When authentication succeeds, the supplicant’s MAC address is registered in the FDB, permitting the supplicant to access the network.

If authentication fails, the supplicant is denied network access.

3.3.1. Operations on the supplicant

When the supplicant’s web browser accesses IPv4 TCP port 80, the following authentication screen appears.

+
image::web-auth-default.png[image,width=700, role=th]

To be authenticated, enter a user name and password, and click the [Login] button.

The supplicant’s MAC address is registered in the FDB, permitting the supplicant to access the network.
If authentication fails three times in succession, authentication is temporarily restricted.

3.3.2. Customizing the authentication screen

The displayed content on the Web authentication screen (the edited HTML, CSS and image files) can be copied to this product, and the following parts can be customized.
Note that we cannot provide support for how to code in HTML/CSS or what formatting to use, or for any troubles that may occur due to modifications to the code.

image
  1. Header
    The header section includes the “header.html” and “style.css” files. Edit these files and copy them to this product in order to customize them.

  2. Image file
    Copy the image provided to this product in order to modify it.

  3. Input form
    The display style used for the input form is defined in the “style.css” file. Although the text cannot be changed, you can edit the “style.css” file and copy it to this product in order to change the input form’s design.

  4. Footer
    The footer section includes the “footer.html” and “style.css” files. Edit these files and copy them to this product in order to customize them.

The following explains how to modify the Web authentication screen.

3.3.2.1. Preparing the authentication screen customization files

The following files are used to customize the Web authentication screen.

  • header.html

  • footer.html

  • logo.png

  • style.css

Use the Web browser to access the “header.html”, “footer.html” and “style.css” files from the network switch.
For example if the IP address of the network switch is 192.168.100.240, you can use the following URL to access the file from a PC connected to a port on which Web authentication is enabled, and then use the browser’s “Save as” command to save the file on the PC.

Save files with an “.html” or “.css” extension and with UTF-8 character encoding specified.
For the image file logo.png, prepare a desired image file on the PC, and save it with the file name logo.png.
The maximum file size is 1 MB.

3.3.2.2. Editing the authentication screen customization files

Edit the above-mentioned HTML and CSS files as appropriate on your PC.
You are free to edit each file in accordance with HTML and CSS specifications, but please note the following points.

  • The only image file that can be referenced from the “header.html” and “footer.html” files is “logo.png”.

  • The extension of the HTML/CSS file must be “.html” or “.css” and the character encoding must be consistent with UTF-8.

3.3.2.3. Placing the authentication screen customization files

When you have prepared the files, place them in /model name/startup-config/web-auth/ on the SD card.
After placing the files, use the copy auth-web custom-file command or the copy startup-config command to copy the authentication screen customization files to the network switch.

If the following files exist in the folder hierarchy in which the currently-running CONFIG is saved, they are used to generate the Web authentication screen.
You can determine the currently-running CONFIG number by using the show environment command.
Even if the network switch started up using the CONFIG on the SD card, you can customize the Web authentication screen by placing these files in /model name/startup-config/web-auth/ on the SD card.

  • header.html
    This is used as the header section referenced from the authentication screen. If this file does not exist, the original “header.html” is used.

  • footer.html
    This is used as the footer section referenced from the authentication screen. If this file does not exist, the original “footer.html” is used.

  • logo.png
    This is used as the logo in the upper left of the authentication screen. If this file does not exist, the original Yamaha logo is shown.

  • style.css
    This is used as the “style.css” referenced from the authentication screen. If this file does not exist, the original style.css is used.

When you have finished placing the edited files, check the display by using your browser to access the Web authentication screen.
If you need to make additional changes, edit the files on your PC, and transfer them again.

3.3.2.4. Canceling customization

If you decide to cancel customization of the authentication screen, delete the customization files from the folder in which the currently-running CONFIG is saved. You will revert to the original authentication screen.
To delete the files, you can use the erase auth-web custom-file command or the erase startup-config command.
However, since the erase startup-config command also deletes files such as config.txt, you should first copy files such as config.txt to an SD card etc. as a backup.

3.4. Using multiple authentication functions

This product allows using a combination of IEEE 802.1X authentication, MAC authentication, and/or Web authentication at the same port.
When network switches are used in combination, each switch is successively authenticated in the authentication order specified using the auth order command. With default settings, IEEE 802.1X authentication is prioritized.
For web authentication, network switches are authenticated by entering an ID and password in the Web Authentication screen, where the authentication method is changed to web authentication.

If multiple authentication methods are used simultaneously, basic operations are as follows.

  • If both IEEE 802.1X authentication and MAC authentication are used, with IEEE 802.1X authentication prioritized

    image

  • If both IEEE 802.1X authentication and MAC authentication are used, with MAC authentication prioritized

    image

  • If both web authentication and IEEE 802.1X/MAC authentication are used

    image

note

  • If authentication succeeds with any one of the methods, authentication has succeeded.

  • If the reauthentication setting is enabled, then reauthentication is performed using the method with which authentication succeeded.

  • If multiple authentication methods are used, forwarding control settings received via an unauthenticated port will be discarded.

  • If both IEEE 802.1X authentication and MAC authentication are being used and an EAPOL start signal is received from an unauthenticated supplicant, authentication will switch to IEEE 802.1X authentication even if MAC authentication is already in progress.

  • If both IEEE 802.1X authentication and MAC authentication are being used, even if the first authentication method fails, authentication will switch to the next authentication method without entering the restriction period.

  • If both IEEE 802.1X authentication and MAC authentication are being used and any Ethernet frame is received from a supplicant, the product transmits an EAP request.

  • If Web authentication is also being used, unauthenticated supplicants are registered in FDB as static/discard.

3.5. Host mode

This product lets you select the host mode for the port authentication function.
Host mode indicates how an applicable supplicant’s communication will be permitted on the authentication port.

This product lets you choose from the following host modes.

  • Single host mode
    This mode permits communication for only one supplicant for each LAN/SFP port.
    Communication is permitted only for the first supplicant that successfully authenticates.

  • Multi host mode
    This mode permits communication for multiple supplicants for each LAN/SFP port.
    When a supplicant successfully authenticates and communication is permitted, another supplicant that is connected to the same LAN/SFP port and that successfully authenticates is also permitted to communicate on the same VLAN.

  • Multi supplicant mode
    This mode permits communication for multiple supplicants for each LAN/SFP port.
    Each supplicant is distinguished by its MAC address, permitting communication in units of supplicants.
    When using dynamic VLAN functions, you can specify the VLAN for each supplicant.

3.6. Dynamic VLAN

This product supports dynamic VLANs using IEEE 802.1X, MAC, or Web authentication.
Dynamic VLAN is a function that changes the authentication port’s associated VLAN according to the VLAN attribute values in authentication information in notifications received from the RADIUS server.

image

As shown in the illustration above, if a port’s associated VLAN is 1, and the received authentication data has a VLAN attribute of 10, then following successful authentication, the authentication port’s associated VLAN is 10, and communication on VLAN 10 is permitted.

For the RADIUS server, make settings so that the authentication information sent from the server includes the following attribute values.

  • Tunnel-Type = VLAN (13)

  • Tunnel-Medium-Type = IEEE-802 (6)

  • Tunnel-Private-Group-ID = VLAN ID

If a dynamic VLAN is used, the following actions will occur in respective host modes.

  • Single host mode
    The authentication port’s associated VLAN is changed according to the VLAN attribute value of the supplicant that successfully authenticates.

  • Multi host mode
    The authentication port’s associated VLAN is changed according to the VLAN attribute value of the supplicant that successfully authenticates.
    Other supplicants that are connected to the same port are also permitted to communicate on the same VLAN.

  • Multi supplicant mode
    The authentication port’s associated VLAN is changed according to the VLAN attribute value of the supplicant that successfully authenticates.
    You can specify the VLAN for each supplicant.

3.7. VLAN for unauthenticated or failed-authentication ports

This product’s IEEE 802.1X authentication and MAC authentication allow you to specify a guest VLAN so that unauthenticated ports or ports that failed authentication will be assigned to a specific VLAN.
In the multi supplicant mode, you can specify this for each supplicant.

image

This is useful when you want to partially provide functions on a limited network even to a supplicant that has not succeeded in authenticating, as shown in the illustration above.

3.8. EAP pass-through function

You can switch between enable and disable for EAP pass-through and configure whether EAPOL frames are to be forwarded.
The authentication function will be prioritized for interfaces on which the 802.1X authentication function is enabled, and EAP pass-through will not be applied.

3.9. Attribute values sent to the RADIUS server

The NAS-Identifier attribute value can be notified to the RADIUS server.
The character string set with the auth radius attribute nas-identifier command is sent to the RADIUS server as the NAS-Identifier attribute value.

4. Related Commands

Related commands are indicated below.
For details on the commands, refer to the Command Reference.

Operations Operating commands

Set IEEE 802.1X authentication function for the entire system

aaa authentication dot1x

Set MAC authentication function for the entire system

aaa authentication auth-mac

Set Web authentication function for the entire system

aaa authentication auth-web

Set IEEE 802.1X authentication function operating mode

dot1x port-control

Set unauthenticated port forwarding control for IEEE 802.1X authentication

dot1x control-direction

Set number of retransmitted EAPOL packets

dot1x max-auth-req

Set MAC authentication function

auth-mac enable

Set MAC address format setting for MAC authentication

auth-mac auth-user

MAC authenticated static registration setting

auth-mac static

Set Web authentication function

auth-web enable

Set redirect-destination URL following successful Web authentication

auth-web redirect-url

Copy Web authentication screen customization files

copy auth-web custom-file

Delete Web authentication screen customization files

erase auth-web custom-file

Set host mode

auth host-mode

Authentication order setting

auth order

Set reauthentication

auth reauthentication

Set dynamic VLAN

auth dynamic-vlan-creation

Set guest VLAN

auth guest-vlan

Set restriction period following failed authentication

auth timeout quiet-period

Set re-authentication interval

auth timeout reauth-period

Set response wait time for the entire RADIUS server

auth timeout server-timeout

Set response wait time for the supplicant

auth timeout supp-timeout

Set RADIUS server host

radius-server host

Set response wait time for a single RADIUS server

radius-server timeout

Set number of times to resend requests to RADIUS server

radius-server retransmit

Set shared password for RADIUS server

radius-server key

Set availability time restriction for RADIUS server

radius-server deadtime

Setting the NAS-Identifier attribute to notify the RADIUS server

auth radius attribute nas-identifier

Show port authentication status

show auth status

Show RADIUS server setting status

show radius-server

Show supplicant status

show auth supplicant

Show statistical information

show auth statistics

Clear statistical information

clear auth statistics

Clear authentication status

clear auth state

Set time at which authentication state is cleared (system)

auth clear-state time

Set time at which authentication state is cleared (interface)

auth clear-state time

Set EAP pass through

pass-through eap

5. Examples of Command Execution

5.1. Set IEEE 802.1X authentication

Make settings so that IEEE 802.1X authentication can be used.

image

  • We will use LAN port #1 as the authentication port to which the supplicant is connected.

  • We will set the host mode to the multi supplicant mode.

  • We will use VLAN #10 as the guest LAN.

  • We will use 192.168.100.101 as the IP address of the RADIUS server that is connected.

■ Setting Procedure

  1. Define VLAN #10 as the guest VLAN.

    Yamaha(config)#vlan database
    Yamaha(config-vlan)#vlan 10 (1)
    Yamaha(config-vlan)#exit
    1 Define VLAN #10
  2. Enable the IEEE 802.1X authentication function for the entire system.

    Yamaha(config)#aaa authentication dot1x
  3. Set IEEE 802.1X authentication for LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#dot1x port-control auto (1)
    Yamaha(config-if)#auth host-mode multi-supplicant (2)
    Yamaha(config-if)#auth guest-vlan 10 (3)
    Yamaha(config-if)#exit
    1 Set the IEEE 802.1X authentication operating mode to auto
    2 Set the host mode to the multi supplicant mode
    3 Define VLAN #10 as the guest VLAN
  4. Set RADIUS server settings.

    Yamaha(config)#radius-server host 192.168.100.101 key test1 (1)
    1 Set the host to 192.168.100.101 and the shared password to “test1”
  5. Check RADIUS server settings.

    Yamaha#show radius-server
    Server Host : 192.168.100.101
      Authentication Port : 1812
      Secret Key          : test1
      Timeout             : 5 sec
      Retransmit Count    : 3
      Deadtime            : 0 min
  6. Check port authentication settings.

    Yamaha#show auth status
    [System information]
      802.1X Port-Based Authentication : Enabled
      MAC-Based Authentication         : Disabled
      WEB-Based Authentication         : Disabled
    
      Clear-state time : Not configured
    
      Redirect URL :
        Not configured
    
      RADIUS server address :
        192.168.100.101 (port:1812)
    
    [Interface information]
      Interface port1.1 (up)
        802.1X Authentication   : Force Authorized (configured:auto)
        MAC Authentication      : Disabled (configured:disable)
        WEB Authentication      : Enabled (configured:disable)
        Host mode               : Multi-supplicant
        Dynamic VLAN creation   : Disabled
        Guest VLAN              : Enabled (VLAN ID:10)
        Reauthentication        : Disabled
        Reauthentication period : 3600 sec
        MAX request             : 2 times
        Supplicant timeout      : 30 sec
        Server timeout          : 30 sec
        Quiet period            : 60 sec
        Controlled directions   : In (configured:both)
        Protocol version        : 2
        Clear-state time        : Not configured

5.2. Set MAC authentication

Make settings so that MAC authentication can be used.

image

  • We will use LAN port #1 as the authentication port to which the supplicant is connected.

  • We will set the host mode to the multi supplicant mode.

  • We will use 192.168.100.101 as the IP address of the RADIUS server that is connected.

■ Setting Procedure

  1. Enable the MAC authentication function for the entire system.

    Yamaha(config)#aaa authentication auth-mac
  2. Set MAC authentication for LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#auth-mac enable (1)
    Yamaha(config-if)#auth host-mode multi-supplicant (2)
    Yamaha(config-if)#exit
    1 Enable MAC authentication
    2 Set the host mode to the multi supplicant mode
  3. Set RADIUS server settings.

    Yamaha(config)#radius-server host 192.168.100.101 key test1 (1)
    1 Set the host to 192.168.100.101 and the shared password to “test1”
  4. Check RADIUS server settings.

    Yamaha#show radius-server
    Server Host : 192.168.100.101
      Authentication Port : 1812
      Secret Key          : test1
      Timeout             : 5 sec
      Retransmit Count    : 3
      Deadtime            : 0 min
  5. Check port authentication settings.

    Yamaha#show auth status
    [System information]
      802.1X Port-Based Authentication : Disabled
      MAC-Based Authentication         : Enabled
      WEB-Based Authentication         : Disabled
    
      Clear-state time : Not configured
    
      Redirect URL :
        Not configured
    
      RADIUS server address :
        192.168.100.101 (port:1812)
    
    [Interface information]
      Interface port1.1 (up)
        802.1X Authentication   : Force Authorized (configured:-)
        MAC Authentication      : Enabled (configured:enable)
        WEB Authentication      : Disabled (configured:disable)
        Host mode               : Multi-supplicant
        Dynamic VLAN creation   : Disabled
        Guest VLAN              : Disabled
        Reauthentication        : Disabled
        Reauthentication period : 3600 sec
        MAX request             : 2 times
        Supplicant timeout      : 30 sec
        Server timeout          : 30 sec
        Quiet period            : 60 sec
        Controlled directions   : In (configured:both)
        Protocol version        : 2
        Clear-state time        : Not configured
        Authentication status   : Unauthorized

5.3. Set Web authentication

Make settings so that Web authentication can be used.

image

  • We will use LAN port #1 as the authentication port to which the supplicant is connected.

  • We will assume that the IP address of the supplicant is set to 192.168.100.10.

  • We will use 192.168.100.101 as the IP address of the RADIUS server that is connected.

■ Setting Procedure

  1. Assign an IP address to the authenticator for IP communication.

    Yamaha(config)#interface valn1
    Yamaha(config-if)#ip address 192.168.100.240/24
    Yamaha(config-if)#exit
  2. Enable the Web authentication function for the entire system.

    Yamaha(config)#aaa authentication auth-web
  3. Set Web authentication for LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#auth host-mode multi-supplicant (1)
    Yamaha(config-if)#auth-web enable (2)
    Yamaha(config-if)#exit
    1 Set the host mode to the multi supplicant mode
    2 Enable Web authentication
  4. Set RADIUS server settings.

    Yamaha(config)#radius-server host 192.168.100.101 key test1 (1)
    1 Set the host to 192.168.100.101 and the shared password to “test1”
  5. Check RADIUS server settings.

    Yamaha#show radius-server
    Server Host : 192.168.100.101
      Authentication Port : 1812
      Secret Key          : test1
      Timeout             : 5 sec
      Retransmit Count    : 3
      Deadtime            : 0 min
  6. Check port authentication settings.

    Yamaha#show auth status
    [System information]
      802.1X Port-Based Authentication : Disabled
      MAC-Based Authentication         : Disabled
      WEB-Based Authentication         : Enabled
    
      Clear-state time : Not configured
    
      Redirect URL :
        Not configured
    
      RADIUS server address :
        192.168.100.101 (port:1812)
    
    [Interface information]
      Interface port1.1 (up)
        802.1X Authentication   : Force Authorized (configured:-)
        MAC Authentication      : Disabled (configured:disable)
        WEB Authentication      : Enabled (configured:enable)
        Host mode               : Multi-supplicant
        Dynamic VLAN creation   : Disabled
        Guest VLAN              : Disabled
        Reauthentication        : Disabled
        Reauthentication period : 3600 sec
        MAX request             : 2 times
        Supplicant timeout      : 30 sec
        Server timeout          : 30 sec
        Quiet period            : 60 sec
        Controlled directions   : In (configured:both)
        Protocol version        : 2
        Clear-state time        : Not configured

6. Points of Caution

Using dynamic VLAN in the multi supplicant mode will consume internal resources.
These resources are also used by the ACL and QoS functions. There may not be enough resources according to the settings.
Use caution, since communications may not be possible if there are not enough resources, even though authentication might succeed.