When an end device sends data on to the network, the network needs to be able to tag said traffic with a VNID or SGT. How does the network know who the user is?
Methods for user discovery:
- 802.1X – usually authenticated by Cisco ISE backed off to Active Directory.
- MAB – MAC Authentication Bypass – used for devices where no username credentials exist. IP Phones for example. The authenticating server (usually ISE) will have a list of MAC addresses and if the connecting device is in the list, access is permitted.
- Web Authentication – hosts are allowed limited access to the network in order to authenticate via a web browser. Good for situations where 802.1x supplicants are not supported natively but means users have to authenticate interactively whenever they connect.