Configuration restrictions and guidelines
When you configure periodic MAC reauthentication, follow these restrictions and guidelines:
The server-assigned RADIUS Session-Timeout (attribute 27) and Termination-Action (attribute 29) attributes together can affect the periodic MAC reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display mac-authentication connection command (see Security Command Reference).
If the termination action is logging off users, periodic MAC reauthentication takes effect only when the periodic reauthentication timer is shorter than the session timeout timer. If the session timeout timer is shorter, the device logs off online authenticated users when the session timeout timer expires.
If the termination action is reauthenticating users, the periodic MAC reauthentication configuration on the device cannot take effect. The device reauthenticates online MAC authentication users after the server-assigned session timeout timer expires.
Support for the server configuration and assignment of session timeout timer and termination action depends on the server model.
You can set the periodic reauthentication timer either in system view or in interface view by using the mac-authentication timer reauth-period command. A change to the periodic reauthentication timer applies to online users only after the old timer expires.
The device selects a periodic reauthentication timer for MAC reauthentication in the following order:
Server-assigned reauthentication timer.
Port-specific reauthentication timer.
Global reauthentication timer.
Default reauthentication timer.
In a fast-recovery network, you can use the keep-online feature to prevent MAC authentication users from coming online and going offline frequently.
The VLANs assigned to an online user before and after reauthentication can be the same or different.