Block subsequent MAC authentication
This feature enhancement gives the administrator the option of either using the current
implementation or a separate option that blocks subsequent MAC authentications if the
RADIUS-assigned VLAN is different than the first authorized station VLAN.
Follow the steps in Configuring Security on Avaya Ethernet Routing Switch 4000 Series
NN47205-505 to configure this feature.
Display Block subsequent MAC authentication status
Display Block subsequent MAC authentication status (global and per interface):
4xxx(config)#show eapol multihost [interface X]
[...]
Block Different RAV Auth: Enabled
[...]
Verify Block subsequent MAC authentication
Verify Block subsequent MAC authentication works by using syslog after a client with invalid/
missing vlan attribute tries to authenticate, or usage of radius assigned vlan is disabled.
4xxx(config)#show logging sort-reverse
[...]
I 00:00:56:59 89 EAP Mac AuthFail - Port: 14 MAC: 1c:bd:b9:e5:cb:42
I 00:00:56:59 88 Trap: bsnEapAccessViolation
I 00:00:56:59 87 EAP Client blocked (Block Subsequent MAC
Authentication): EAP Use Rav Not enabled
[...]
EAP and Non-EAP separation
Use the EAP/ NEAP separation command to disable EAP clients without disabling NEAP
clients.
Follow the steps in Configuring Security on Avaya Ethernet Routing Switch 4000 Series
NN47205-505 to configure the command.
Display EAP protocol status
Display EAP protocol status on the interface:
4xxx(config)#show eapol multihost interface X
[...]
EAPOL Protocol: Disabled
[…]
OR
4xxx(config)#show eapol multihost interface X
[...]
Troubleshooting authentication
160 Troubleshooting Avaya ERS 4000 Series April 2014
Comments? infodev@avaya.com
To Next Page
Loading...
