Consider the following when you use port and VLAN based attributes:
Configuring Custom Auto-Negotiation Advertisements (CANA) on a port triggers a port bounce, which generates new client authentication.
DHCP Snooping Option 82 is not supported.
IGMP Snooping is not supported on a DvR Leaf.
Disconnect requests execute a disconnect command for the client. If the PORTBOUNCE attribute is included, then it only performs a port bounce.
Change-of-Authorization (CoA) requests perform the change of authorized configuration for the supported attributes. If the PORTBOUNCE attribute is included, then it only performs a port bounce.
On Flex-UNI ports, if the I-SID received from the RADIUS server does not have a platform VLAN associated with it, attributes are not applied. When a platform VLAN is associated with the I-SID, EAP reauthentication is generated to apply the attribute by bouncing a port, bouncing EAP on a port, or by using CoA Reauthenticate.
This consideration only applies if IP Source Guard is received from the RADIUS server. Otherwise DHCP Snooping and Dynamic ARP Inspection (DAI) is enabled based on the behavior described in Expected Behavior for DHCP Snooping and DAI Vendor Specific Attributes.
Only attributes that can be configured manually can be configured dynamically using EAP.
IP Source Guard restrictions apply even if the feature is configured on the RADIUS server.
Maximum 10 entries per port
Maximum 1000 entries per server
DHCP Snooping and DAI must be enabled on all VLAN members of the RADIUS configured port.
If multiple client authentication is permitted in MHMV mode, you can apply RADIUS attributes incrementally as subsequent clients authenticate.
If a client authenticates with DHCP Snooping, DAI, and IP Source Guard attributes on the VLAN and a second client attempts to authenticate with the same attributes, consider the following:
If the second client uses the same VLAN as the first client, only IP Source Guard applies on the RADIUS configuration port.
If the second client uses a different VLAN, DHCP Snooping and DAI apply on the VLAN and the IP Source Guard applies on the RADIUS configuration port.
If you configure a Guest VLAN on a port and the RADIUS server returns IP Source Guard as a result of EAP or NEAP authentication, then you should manually remove static VLANs from that port. Alternatively, you can enable DHCP Snooping and DAI on static VLANs.
If you configure a port with multiple platform VLANs and the RADIUS server returns IP Source Guard as a result of EAP/NEAP authentication, then you must manually configure DHCP Snooping and DAI on static platform VLANs.
The reauthentication flag and reauthentication period attributes origin can be either CONFIG or RADIUS. Different origins for reauthentication flag and reauthentication period attributes are valid.
You can configure the reauthentication flag with or without a time interval in CLI or RADIUS VSA. If you do not specify a time interval when you enable reauthentication on a port from RADIUS, the reauthentication period origin does not change.
If a RADIUS client specifies the same value as the one that already exists in static configuration through CLI, the origin remains as CONFIG.
If you enable reauthentication through CLI and you configure a specific period using the command re-authentication-period <60-65535> the origin is CONFIG.
The following message displays to indicate that RADIUS clients use the configuration:
WARNING: Setting used by Radius Client. Are you sure you want to continue? (y/n)?
If the reauthentication period attribute was configured with the reauthentication flag through RADIUS VSA, the origin is RADIUS.
When you change the reauthentication period attribute in CLI, the following message displays to indicate that the origin of this parameter is RADIUS.
WARNING: Current port reauth period has RADIUS origin. Are you sure you want to continue? (y/n)?
Changing a parameter in CLI that was originally configured using RADIUS,changes the origin to CONFIG.
Dynamic cleanup is supported. When the last client to authenticate using a dynamic attribute is removed, the following dynamic attributes are also removed:
Dynamic ARP Inspection (DAI)
DHCP Snooping
IGMP Snooping
IP Source Guard
Reauthentication
However, the following attributes can only be removed by disabling EAP:
SLPP Guard
BPDU Guard
Traffic Control (Wake on LAN)
Custom Auto-Negotiation Advertisements
For more information, see Extreme-Dynamic-Config.