Impact of pre-auth role on existing features
- Unauthenticated devices
Configuring pre-auth role VLAN will change the behavior of unauthenticated devices. Normally, authentication-enabled ports will not provide unauthenticated client any network access until the device is authenticated by the RADIUS server. With pre-auth role VLAN configured, the client will be assigned to the pre-auth role VLAN until the RADIUS server authenticates the device.
Unauthenticated clients will be placed into the VLAN specified in the pre-auth role. After authenticated by the RADIUS server, the client will be placed into the VLAN specified in the RADIUS authentication command string or as specified in the RADIUS authentication accept string.
- LLDP-bypass
When LLDP-bypass is enabled on the switch, Aruba APs are not authenticated. Therefore pre-auth role VLAN is not applicable.
- Bypass using device-identity
Pre-auth role VLAN is not applicable to VoIP devices because they do not need authentication. It is applicable to PCs that need authentication.
- ACLs applied on an interface
If an ACL rule is applied on an interface, which is part of a pre-auth role VLAN, traffic coming through that interface will be affected. Traffic will be affected based on the rule in the ACL.
- ACLs applied on a VLAN
If an ACL rule is applied on a pre-auth role VLAN, traffic entering that VLAN will be affected. Traffic will be affected based on the rule in the ACL.
- Rate-limiting on an interface
If the traffic is rate-limited on an interface as part of a pre-auth role VLAN, the traffic will be impacted. The traffic will be affected based on the rule in the rate-limiting configuration command.
- Authenticated or rejected clients
Clients that are authenticated or rejected by the RADIUS server are given different VLANs. These clients are moved from pre-auth role to new VLANs based on the authentication by the RADIUS server.
- MAC pinning
Clients whose MAC addresses are pinned and have undergone authentication will always be treated as authenticated. Pre-auth role VLAN is not applicable in this scenario.
- Effect of RADIUS tracking on pre-auth role
If RADIUS tracking is enabled and no RADIUS server is available for authentication, the port will be changed from a pre-auth role VLAN to a critical VLAN. The time taken to move from pre-auth role VLAN to critical VLAN depends on the time it takes for RADIUS tracker to inform the subsystem.