Operational Considerations

General Considerations

Only attributes that can be configured manually can be configured dynamically using EAP.

Dynamic cleanup is supported. When the last client to authenticate using a dynamic attribute is removed, the following dynamic attributes are also removed:

• Dynamic ARP Inspection (DAI)

• DHCP Snooping

• IGMP Snooping

• IP Source Guard

• Re-authentication

However, the following attributes can only be removed by disabling EAP:

• SLPP Guard

• BPDU Guard

• Traffic Control (Wake on LAN)

• Custom Auto-Negotiation Advertisements

VLAN-Based Features

• DHCP Snooping Option 82 is not supported.

• IGMP Snooping is not supported on a DvR Leaf.

• If multiple client authentication is permitted in MHMV mode, you can apply RADIUS attributes incrementally as subsequent clients authenticate.

  If a client authenticates with DHCP Snooping, DAI, and IP Source Guard attributes on the VLAN and a second client attempts to authenticate with the same attributes, the following occurs:

  • If the second client uses the same VLAN as the first client, only IP Source Guard applies on the RADIUS configuration port.

  • If the second client uses a different VLAN, DHCP Snooping and DAI apply on the VLAN and the IP Source Guard applies on the RADIUS configuration port.

• 

  Note

  The following consideration only applies if IP Source Guard is received from the RADIUS server. Otherwise DHCP Snooping and Dynamic ARP Inspection (DAI) is enabled based on the behavior described in Expected Behavior for DHCP Snooping and DAI Vendor Specific Attributes.

  If you configure a port in Multiple Host Single Association (MHSA) mode and VLAN based attributes are received from the RADIUS server, features are enabled on the default VLAN and on all VLANs that contain the authentication port.

Port-Based Features

• Configuring Custom Auto-Negotiation Advertisements (CANA) on a port triggers a port bounce, which generates new client authentication.

• Disconnect requests execute a disconnect command for the client. If the PORTBOUNCE attribute is included, then it only performs a port bounce.

• Re-authenticate requests execute a re-authentication of the client. These requests can include all attributes.

• Change-of-Authorization (CoA) requests perform the change of authorized configuration for the supported attributes. If the PORTBOUNCE attribute is included, then it only performs a port bounce.

• On Flex-UNI ports, if the I-SID received from the RADIUS server does not have a platform VLAN associated with it, attributes are not applied. When a platform VLAN is associated with the I-SID, EAP re-authentication is generated to apply the attribute by bouncing a port, bouncing EAP on a port, or by using CoA Re-authenticate.

• IP Source Guard restrictions apply even if the feature is configured on the RADIUS server.

  • Maximum 10 entries per port

  • Maximum 1000 entries per server

  • DHCP Snooping and DAI must be enabled on all VLAN members of the RADIUS configured port.

• If you configure a Guest VLAN on a port and the RADIUS server returns IP Source Guard as a result of EAP or NEAP authentication, then you should manually remove static VLANs from that port. Alternatively, you can enable DHCP Snooping and DAI on static VLANs.

• If you configure a port with multiple platform VLANs and the RADIUS server returns IP Source Guard as a result of EAP/NEAP authentication, then you must manually configure DHCP Snooping and DAI on static platform VLANs.

The re-authentication flag and re-authentication period attributes origin can be either CONFIG or RADIUS. Different origins for re-authentication flag and re-authentication period attributes are valid:

• You can configure the re-authentication flag with or without a time interval in CLI or RADIUS VSA. If you do not specify a time interval when you enable re-authentication on a port from RADIUS, the re-authentication period origin does not change.

• If a RADIUS client specifies the same value as the one that already exists in static configuration through CLI, the origin remains as CONFIG.

• If you enable re-authentication through CLI and you configure a specific period using the re-authentication-period <0, 60-65535> command, the origin is CONFIG.

  The following message displays to indicate that RADIUS clients use the configuration:

  WARNING: Setting used by Radius Client. Are you sure you want to continue? (y/n)?

  If the re-authentication period attribute was configured with the re-authentication flag through RADIUS VSA, the origin is RADIUS.

  When you change the re-authentication period attribute in CLI, the following message displays to indicate that the origin of this parameter is RADIUS.

  WARNING: Current port reauth period has RADIUS origin. Are you sure you want to continue? (y/n)?

  Changing a parameter in CLI that was originally configured using RADIUS,changes the origin to CONFIG.

For more information, see Extreme-Dynamic-Config.