Consider the following when you use port and VLAN based attributes:
Configuring Custom Auto-Negotiation Advertisements on a port triggers a port bounce, which generates new client authentication.
DHCP Snooping Option 82 is not supported.
IGMP Snooping is not supported on a DvR Leaf.
Change-of-Authorization (CoA) functionality is not supported; Disconnect and Reauthenticate options are supported.
On Flex-UNI ports, if the I-SID received from the RADIUS server does not have a platform VLAN associated with it, settings are not applied. When a platform VLAN is associated with the I-SID, EAP reauthentication is generated to apply the settings by bouncing a port, bouncing EAP on a port, or by using CoA Reauthenticate.
Only settings that can be configured manually can be configured dynamically using EAP.
IP Source Guard restrictions apply even if the feature is configured on the RADIUS server.
Maximum 10 entries per port
Maximum 1000 entries per server
DHCP Snooping and DAI must be enabled on all VLAN members of the RADIUS configured port.
If multiple client authentication is permitted in MHMV mode, RADIUS settings can be applied incrementally as subsequent clients authenticate.
If a client authenticates with DHCP Snooping, DAI, and IP Source Guard attributes on the VLAN and a second client attempts to authenticate with the same attributes, consider the following:
If the second client uses the same VLAN as the first client, only IP Source Guard applies on the RADIUS configuration port.
If the second client uses a different VLAN, DHCP Snooping and DAI apply on the VLAN and the IP Source Guard applies on the RADIUS configuration port.
If you configure a Guest VLAN on a port and the RADIUS server returns IP Source Guard as a result of EAP or NEAP authentication, then you should manually remove static VLANs from that port. Alternatively, you can enable DHCP Snooping and DAI on static VLANs.
If you configure a port with multiple platform VLANs and the RADIUS server returns IP Source Guard as a result of EAP/NEAP authentication, then you must manually configure DHCP Snooping and DAI on static platform VLANs.
The reauthentication flag and reauthentication period attributes origin can be either CONFIG or RADIUS. Different origins for reauthentication flag and reauthentication period attributes are valid.
You can configure the reauthentication flag with or without a time interval in CLI or RADIUS VSA. If you do not specify a time interval when you enable reauthentication on a port from RADIUS, the reauthentication period origin does not change.
If a RADIUS client specifies the same value as the one that already exists in static configuration through CLI, the origin remains as CONFIG.
If you enable reauthentication through CLI and you configure a specific period using the command re-authentication-period <60-65535> the origin is CONFIG.
The following message displays to indicate that RADIUS clients use the configuration:
WARNING: Setting used by Radius Client. Are you sure you want to continue? (y/n)?
If the reauthentication period attribute was configured with the reauthentication flag through RADIUS VSA, the origin is RADIUS.
When you change the reauthentication period attribute in CLI, the following message displays to indicate that the origin of this parameter is RADIUS.
WARNING: Current port reauth period has RADIUS origin. Are you sure you want to continue? (y/n)?
Changing a parameter in CLI that was originally configured using RADIUS,changes the origin to CONFIG.
Dynamic cleanup is supported. When the last client to authenticate using a dynamic setting is removed, the following dynamic settings are also removed:
Dynamic ARP Inspection (DAI)
DHCP Snooping
IGMP Snooping
IP Source Guard
Reauthentication
However, the following settings can only be removed by disabling EAP:
SLPP Guard
BPDU Guard
Traffic Control (Wake on LAN)
Custom Auto-Negotiation Advertisements
For more information, see Extreme-Dynamic-Config.