MAC authentication timers
MAC authentication uses the following timers:
Offline detect timer—Sets the interval for the device to wait for traffic from a user before it considers
the user as idle. If a user connection has been idle for two consecutive intervals, the device logs out
the user and stops accounting for the user.
Quiet timer—Sets the interval for the device to wait before it can perform MAC authentication for
a user who has failed MAC authentication. All packets from the MAC address are dropped during
the quiet time interval. This quiet mechanism prevents repeated authentication from affecting system
Server timeout timer—Sets the interval for the device to wait for a response from a RADIUS server
before it considers the RADIUS server as unavailable. If the timer expires during MAC
authentication, the user cannot access the network.
Using MAC authentication with other features
You can specify a VLAN in the user account for a MAC authentication user to control its access to
network resources. After the user passes MAC authentication, the authentication server (either the local
access device or a RADIUS server) assigns the VLAN to the port as the default VLAN. After the user logs
off, either the initial default VLAN or the default VLAN configured before any VLAN is assigned by the
authentication server restores. If the authentication server assigns no VLAN, the initial default VLAN
A hybrid port is always assigned to a server-assigned VLAN as an untagged member. After the
assignment, do not reconfigure the port as a tagged member in the VLAN.
If MAC-based VLAN is enabled on a hybrid port, the device maps the server-assigned VLAN to the MAC
address of the user. The default VLAN of the hybrid port does not change.
You can specify an ACL in the user account for a MAC authentication user to control its access to network
resources. After the user passes MAC authentication, the authentication server (either the local access
device or a RADIUS server) assigns the ACL to the access port to filter the traffic from this user. You must
configure the ACL on the access device for the ACL assignment. You can change ACL rules while the user
You can configure an Auth-Fail VLAN on a port to accommodate MAC authentication users that have
failed MAC authentication on the port. Users in the Auth-Fail VLAN can access a limited set of network
resources, such as a software server, to download anti-virus software and system patches. If no MAC
Auth-Fail VLAN is configured, the user who fails MAC authentication cannot access any network
If a user in the Auth-Fail VLAN passes MAC authentication, it is removed from the Auth-Fail VLAN and
can access all authorized network resources. If a user does not pass MAC authentication, it stays in the