Configuring a client for
retain-unauth-clients
A series of steps must be undertaken to configure a client for enforce-cache reauthentication.
Procedure
-
(config)# aaa port-access mac-based <PORT-LIST>
Associates the specified port with the port-access on a MAC-based client.Switch(config)# aaa port-access mac-based addr-format Set the MAC address format to be used in the RADIUS request message (default no-delimiter). [ethernet] PORT-LIST Manage MAC address based network authentication on the device ports. password Specify the password for MAC authentication. If in enhanced secure-mode, you will be prompted for the password. unauth-redirect Configure macAuth redirect registration server featu
-
(config)# no aaa port-access mac-based addr-format [no-delimiter | single-dash | multi-dash | multi-colon | no-delimiter-uppercase | single-dash-uppercase | multi-dash-uppercase | multi-colon-uppercase]
Sets the MAC address format to use. The same format is used for all ports in the system.
-
(config)# no aaa port-access mac-based <PORT-LIST> [addr-limit <Limit> | addr-moves | quiet-period <1-65535> | retain-unauth-clients | server-timeout <1-300> | mac-pin | max-requests <1-10> | logoff-period <1-9999999> | reauth-period <0-999999999> | unauth-period <0-255> | auth-vid <VLAN-ID> | unauth-vid <VLAN-ID> | reauthenticate|server-group < SERVER_GROUP>]
Specifies parameters and limits on the configured client authentication.
Switch(config)#aaa port-access mac-based 1 addr-limit Set the port's maximum number of authenticated MAC addresses (default 1). addr-moves Set whether the MAC can move between ports (default disabled - no moves). auth-vid Configures VLAN where to move port after successful authentication (not configured by default). cached-reauth-period Time in seconds, during which cached reauthentication is allowed on the port.The minimum reauthentication period should be greater than 30 seconds. logoff-period Set the period of time of inactivity that the switch considers an implicit logoff (default 300 seconds). mac-pin Forces the clients to remain in authenticated state even upon log-off expiry. max-requests Set maximum number of times the switch retransmits authentication requests (default 3). quiet-period Set the period of time the switch does not try to authenticate (default 60 seconds). reauth-period Set the re-authentication timeout in seconds; set to '0' to disable re-authentication (default 0). reauthenticate Force re-authentication to happen. retain-unauth-clients Enable access to unauthorized clients by placing port in unauthorized VLAN during reauthentication server-group Specify the server group to use. server-timeout Set the authentication server response timeout (default 300 seconds). unauth-period Set period of time the switch waits before moving the port to the VLAN for unauthenticated clients. unauth-vid Configures VLAN where to keep port while there is an unauthorized client connected (not configured by default). Switch(config)# aaa port-access mac-based 1 server-group ASCII-STR Enter an ASCII string. Switch(config)# aaa port-access mac-based 1 server-group group1
Switch#show port-access mac-based 1 config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Mac password : Unauth Redirect Configuration URL : Unauth Redirect Client Timeout (sec) : 1800 Unauth Redirect Restrictive Filter : Disabled Total Unauth Redirect Client Count : 0 RADIUS Server Group : group1 Client Client Logoff Re-Auth Unauth Auth Cntrl Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir ----- ------- ------ ------ --------- --------- ------- ------- ----- 1 No 1 No 300 0 0 0 both
-
no aaa port-access mac-based password <PASSWORD>
The password' form of the command sets the global password for all MAC authentication clients. This password is used instead of the client's MAC address in the RADIUS request.
-
aaa port-access mac-based <port-list> retain-unauth-clients
Retain
unanth-vid
is not enabled .