Impact of pre-auth role on existing features

Unauthenticated devices

Configuring pre-auth role VLAN will change the behavior of unauthenticated devices. Normally, authentication-enabled ports will not provide unauthenticated client any network access until the device is authenticated by the RADIUS server. With pre-auth role VLAN configured, the client will be assigned to the pre-auth role VLAN until the RADIUS server authenticates the device.

Unauthenticated clients will be placed into the VLAN specified in the pre-auth role. After authenticated by the RADIUS server, the client will be placed into the VLAN specified in the RADIUS authentication command string or as specified in the RADIUS authentication accept string.

LLDP-bypass

When LLDP-bypass is enabled on the switch, Aruba APs are not authenticated. Therefore pre-auth role VLAN is not applicable.

Bypass using device-identity

Pre-auth role VLAN is not applicable to VoIP devices because they do not need authentication. It is applicable to PCs that need authentication.

ACLs applied on an interface

If an ACL rule is applied on an interface, which is part of a pre-auth role VLAN, traffic coming through that interface will be affected. Traffic will be affected based on the rule in the ACL.

ACLs applied on a VLAN

If an ACL rule is applied on a pre-auth role VLAN, traffic entering that VLAN will be affected. Traffic will be affected based on the rule in the ACL.

Rate-limiting on an interface

If the traffic is rate-limited on an interface as part of a pre-auth role VLAN, the traffic will be impacted. The traffic will be affected based on the rule in the rate-limiting configuration command.

Authenticated or rejected clients

Clients that are authenticated or rejected by the RADIUS server are given different VLANs. These clients are moved from pre-auth role to new VLANs based on the authentication by the RADIUS server.

MAC pinning

Clients whose MAC addresses are pinned and have undergone authentication will always be treated as authenticated. Pre-auth role VLAN is not applicable in this scenario.

Effect of RADIUS tracking on pre-auth role

If RADIUS tracking is enabled and no RADIUS server is available for authentication, the port will be changed from a pre-auth role VLAN to a critical VLAN. The time taken to move from pre-auth role VLAN to critical VLAN depends on the time it takes for RADIUS tracker to inform the subsystem.