Clients (n) connect to a switch port. The maximum number of clients (EAP + NEAP) allowed on a port is 8192.
EAP is enabled and the default operation mode is MHMV.
Modify client counters to authenticate n clients.
Initial VLANs are the VLANS which are manually set up before EAP is enabled.
Port default VLAN ID is equal to one of the initial VLAN ID.
All clients are unauthenticated, hence the clients cannot access the network.
Note
The clients cannot access the network as they are not authenticated.
Client PC1 does not receive RADIUS VLAN attribute:
There are no changes to the port membership and port default VLAN ID.
PC1 is the only client that is allowed access to the initial VLANs.
A VLAN MAC rule is added that associates the MAC with the default VLAN ID.
If the VLAN is configured on the port, then the tagged traffic from PC1 is forwarded to the VLAN associated with the tag.
Untagged traffic from PC1 is forwarded to the port default VLAN.
Client PC1 receives RADIUS VLAN attribute:
The port is left in all initial VLANs and added to the VLAN corresponding to the RADIUS VLAN attribute.
Port default VLAN remains unchanged.
A VLAN MAC based rule is configured for client PC1.
Using the VLAN MAC based capabilities, the untagged traffic from PC1 goes to the RADIUS assigned VLAN 1 as shown in the figure below.
Client PC1 can access all initial VLANs using tagged frames.
The remaining clients stay unauthenticated and cannot access any VLANs.
Note
PC1 is authenticated with RADIUS VLAN 1. The other clients cannot access the network as they are unauthenticated.
The MAC VLAN rule is removed from the switch.
If the RADIUS VLAN attribute was used with the client was authenticated and no other clients are authenticated on that RADIUS VLAN, then the port is removed from the VLAN.
The RADIUS accounting attribute Acct-Terminate-Cause indicates how a session was terminated.
The RADIUS accounting attribute Event-Timestamp indicates the time that an event occurred on the Network Access Server (NAS).