Configuring a client for retain-unauth-clients

A series of steps must be undertaken to configure a client for enforce-cache reauthentication.

  1. switch(config)# aaa port-access mac-based <PORT-LIST>
    Associates the specified port with the port-access on a MAC-based client.
    switch(config)# aaa port-access mac-based 
     addr-format           Set the MAC address format to be used in the RADIUS 
                           request message (default no-delimiter).
     [ethernet] PORT-LIST  Manage MAC address based network authentication on the 
                           device ports.
     password              Specify the password for MAC authentication. If in 
                           enhanced secure-mode, you will be prompted for the 
     unauth-redirect       Configure macAuth redirect registration server featu
  2. switch(config)# no aaa port-access mac-based addr-format [no-delimiter | single-dash | multi-dash | multi-colon | no-delimiter-uppercase | single-dash-uppercase | multi-dash-uppercase | multi-colon-uppercase]

    Sets the MAC address format to use. The same format is used for all ports in the system.

  3. switch(config)# no aaa port-access mac-based <PORT-LIST> [addr-limit <Limit> | addr-moves | quiet-period <1-65535> | retain-unauth-clients | server-timeout <1-300> | mac-pin | max-requests <1-10> | logoff-period <1-9999999> | reauth-period <0-999999999> | unauth-period <0-255> | auth-vid <VLAN-ID> | unauth-vid <VLAN-ID> | reauthenticate|server-group < SERVER_GROUP>]

    Specifies parameters and limits on the configured client authentication.

    switch(config)#aaa port-access mac-based 1 
     addr-limit            Set the port's maximum number of authenticated MAC
                           addresses (default 1).
     addr-moves            Set whether the MAC can move between ports (default 
                           disabled - no moves).
     auth-vid              Configures VLAN where to move port after successful 
                           authentication (not configured by default).
     cached-reauth-period  Time in seconds, during which cached reauthentication is
                           allowed on the port.The minimum reauthentication period
                           should be greater than 30 seconds.
     logoff-period         Set the period of time of inactivity that the switch 
                           considers an implicit logoff (default 300 seconds).
     mac-pin               Forces the clients to remain in authenticated state even
                           upon log-off expiry.
     max-requests          Set maximum number of times the switch retransmits 
                           authentication requests (default 3).
     quiet-period          Set the period of time the switch does not try to 
                           authenticate (default 60 seconds).
     reauth-period         Set the re-authentication timeout in seconds; set to '0'
                           to disable re-authentication (default 0).
     reauthenticate        Force re-authentication to happen.
     retain-unauth-clients Enable access to unauthorized clients by placing port in
                           unauthorized VLAN during reauthentication
     server-group          Specify the server group to use.
     server-timeout        Set the authentication server response timeout (default
                           300 seconds).
     unauth-period         Set period of time the switch waits before moving the 
                           port to the VLAN for unauthenticated clients.
     unauth-vid            Configures VLAN where to keep port while there is an 
                           unauthorized client connected (not configured by 
    switch(config)# aaa port-access mac-based 1 server-group 
     ASCII-STR             Enter an ASCII string.
    switch(config)# aaa port-access mac-based 1 server-group group1 
    switch(config)#show port-access mac-based 1 config 
     Port Access MAC-Based Configuration
      MAC Address Format : no-delimiter
      Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No 
      Mac password : 
      Unauth Redirect Configuration URL :                                          
      Unauth Redirect Client Timeout (sec) : 1800 
      Unauth Redirect Restrictive Filter : Disabled 
      Total Unauth Redirect Client Count : 0     
      RADIUS Server Group : group1                                           
                    Client Client Logoff    Re-Auth   Unauth  Auth    Cntrl
      Port  Enabled Limit  Moves  Period    Period    VLAN ID VLAN ID Dir  
      ----- ------- ------ ------ --------- --------- ------- ------- -----
      1     No      1      No     300       0         0       0       both
  4. no aaa port-access mac-based password <PASSWORD>

    The password' form of the command sets the global password for all MAC authentication clients. This password is used instead of the client's MAC address in the RADIUS request.

  5. aaa port-access mac-based <port-list> retain-unauth-clients

    Retain unanth-vid is not enabled .