The following example illustrates the usage scenario for a MHMV port with unauthenticated clients:
Clients (n) connect to a switch port. For the maximum number of clients (EAP + NEAP) allowed on a port, see Fabric Engine Release Notes.
EAP is enabled and the default operation mode is MHMV.
Modify client counters to authenticate n clients.
Initial VLANs are the VLANS which are manually set up before EAP is enabled.
Port default VLAN ID is equal to one of the initial VLAN ID.
All clients are unauthenticated, hence the clients cannot access the network.
The following figure represents the functionality when clients are not authenticated.
Note
The clients cannot access the network because they are not authenticated.
When client PC1 authenticates, there are two scenarios:
Client PC1 does not receive RADIUS VLAN attribute:
There are no changes to the port membership and port default VLAN ID.
PC1 is the only client that is allowed access to the initial VLANs.
A VLAN MAC rule is added that associates the MAC with the default VLAN ID.
If the VLAN is configured on the port, then the tagged traffic from PC1 is forwarded to the VLAN associated with the tag.
Untagged traffic from PC1 is forwarded to the port default VLAN.
Client PC1 receives RADIUS VLAN attribute:
The port is left in all initial VLANs and added to the VLAN corresponding to the RADIUS VLAN attribute.
Port default VLAN remains unchanged.
A VLAN MAC based rule is configured for client PC1.
Using the VLAN MAC based capabilities, the untagged traffic from PC1 goes to the RADIUS assigned VLAN 1 as shown in MHMV - authenticated client.
Client PC1 can access all initial VLANs using tagged frames.
The remaining clients stay unauthenticated and cannot access any VLANs.
The following figure represents the functionality when client PC1 authenticates.
Note
PC1 is authenticated with RADIUS VLAN 1. The other clients cannot access the network as they are unauthenticated.
When a client disconnects the following happens:
The MAC VLAN rule is removed from the switch.
If the RADIUS VLAN attribute was used with the client was authenticated and no other clients are authenticated on that RADIUS VLAN, then the port is removed from the VLAN.
The RADIUS accounting attribute Acct-Terminate-Cause indicates how a session was terminated.
The RADIUS accounting attribute Event-Timestamp indicates the time that an event occurred on the Network Access Server (NAS).