109
logs the user out and stops accounting for the user. In Release 1121 and later, this timer takes
effect when the MAC authentication offline detection feature is enabled.
After you set the offline detect timer, assign the same value to the MAC address aging timer by
using the mac-address timer command. This operation prevents a MAC authenticated user
from being offline within the offline detect timer due to MAC address entry expiration.
• Quiet timer—Sets the interval that the device must wait before the device can perform MAC
authentication for a user who has failed MAC authentication. All packets from the MAC address
are dropped during the quiet time. This quiet mechanism prevents repeated authentication from
affecting system performance.
• Server timeout timer—Sets the interval that the device waits for a response from a RADIUS
server before the device regards the RADIUS server unavailable. If the timer expires during
MAC authentication, the user cannot access the network.
To configure MAC authentication timers:
1. Enter system view.
system-view
N/A
2.
authentication timers.
mac-authentication
timer
{
offline-detect
offline-detect-value |
quiet
quiet-value |
server-timeout
server-timeout-value }
By default, the offline detect
timer is 300 seconds, the quiet
timer is 60 seconds, and the
server timeout timer is 100
seconds.
Setting the maximum number of concurrent MAC
authentication users on a port
Perform this task to prevent the system resources from being overused.
To set the maximum number of concurrent MAC authentication users on a port:
1. Enter system view.
system-view
N/A
2. Enter
interface view.
interface
interface-type
interface-number
N/A
3. Set
the maximum number of
concurrent MAC
authentication users on the
port
mac-authentication max-user
user-number
By default,
the maximum
number of concurrent MAC
authentication users on a port is
2048.
Enabling MAC authentication multi-VLAN mode
on a port
The MAC authentication multi-VLAN mode prevents an authenticated online user from service
interruption caused by VLAN changes on a port. When the port receives a packet sourced from the
user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user
nor reauthenticates the user. The device creates a new MAC-VLAN mapping for the user, and traffic
transmission is not interrupted. The original MAC-VLAN mapping for the user remains on the device
until it dynamically ages out. As a best practice, configure this feature on hybrid or trunk ports.
To Next Page
Loading...
Need help?
General