Configuration Restrictions And Guidelines; Configuration Procedure - HPE FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
status of online users and updates the authorization attributes assigned by the server. The attributes
include the ACL and VLAN.
By default, the device logs off online MAC authentication users if no server is reachable for MAC
reauthentication. The keep-online feature keeps authenticated MAC authentication users online
when no server is reachable for MAC reauthentication.
Configuration restrictions and guidelines
When you configure periodic MAC reauthentication, follow these restrictions and guidelines:
•
The server-assigned RADIUS Session-Timeout (attribute 27) and Termination-Action (attribute
29) attributes together can affect the periodic MAC reauthentication feature. To display the
server-assigned Session-Timeout and Termination-Action attributes, use the display
mac-authentication connection command (see Security Command Reference).
If the termination action is logging off users, periodic MAC reauthentication takes effect only
when the periodic reauthentication timer is shorter than the session timeout timer. If the
session timeout timer is shorter, the device logs off online authenticated users when the
session timeout timer expires.
If the termination action is reauthenticating users, the periodic MAC reauthentication
configuration on the device cannot take effect. The device reauthenticates online MAC
authentication users after the server-assigned session timeout timer expires.
Support for the server configuration and assignment of session timeout timer and termination
action depends on the server model.
•
You can set the periodic reauthentication timer either in system view or in interface view by
using the mac-authentication timer reauth-period command. A change to the periodic
reauthentication timer applies to online users only after the old timer expires.
The device selects a periodic reauthentication timer for MAC reauthentication in the following
order:
a. Server-assigned reauthentication timer.
b. Port-specific reauthentication timer.
c. Global reauthentication timer.
d. Default reauthentication timer.
•
In a fast-recovery network, you can use the keep-online feature to prevent MAC authentication
users from coming online and going offline frequently.
•
The VLANs assigned to an online user before and after reauthentication can be the same or
different.
Configuration procedure
To configure periodic MAC reauthentication:
Step
1.
Enter system view.
2.
(Optional.) Set the global
periodic MAC reauthentication
timer.
3.
Enter interface view.
4.
Enable periodic MAC
reauthentication.
Command
system-view
mac-authentication timer
reauth-period
reauth-period-value
interface interface-type
interface-number
mac-authentication
re-authenticate
154
Remarks
N/A
The default setting is 3600
seconds.
N/A
By default, periodic MAC
reauthentication is disabled on
a port.
Advertisement
Table of Contents
Troubleshooting
