MAC-Based Authentication Delay

Prior to ExtremeXOS 21.1, the default behavior was to authenticate clients using all enabled authentication methods on a port—MAC, 802.1X, and Web-based—for backward compatibility. By default, MAC authentication was triggered immediately upon receiving the first packet from the client.

To delay MAC authentication, users can configure the MAC authentication delay period using the CLI. The default value is 0 seconds, but it can be set between 0 and 120 seconds.

Example scenario

Assume MAC, 802.1X, and Web-based authentication are enabled on a port. When a client connects:

• With no delay configured, ExtremeXOS immediately performs MAC authentication, applies the associated action, and then proceeds with 802.1X authentication if triggered.
• If 802.1X is preferred over MAC, the MAC authentication action is unapplied, and the 802.1X action is applied.
• Only one authentication method (MAC or 802.1X) can use the Extreme-URL-Redirect VSA. The URL from the first authenticated method is processed and used; changes in authentication order do not affect this.

To delay or bypass MAC authentication, configure the MAC authentication delay period per port. When the first packet is received, ExtremeXOS waits for the configured delay period before triggering MAC authentication, allowing time for preferred methods like 802.1X to initiate.

In this case, the user "Adam" can authenticate using 802.1X during the delay period. The time ExtremeXOS waits before initiating MAC authentication is the MAC authentication delay period, and it is fully user-configurable.