With Extensible Authentication Protocol (EAP) and Fabric Attach (FA), FA-capable switches can forward traffic from EAP/NEAP clients over the SPB cloud. The traffic for authenticated clients is mapped to I-SIDs received from RADIUS server.
You must configure the desired bindings for EAP/NEAP clients on the RADIUS server. When confirming the authentication request, the RADIUS server also sends the corresponding binding for the EAP/NEAP client.
The FA Proxy sends to the FA Server the binding received from the RADIUS server. If the FA Server rejects all the bindings, the client is disconnected. EAP clients are moved from AUTHENTICATED state to HELD state.
On an FA Server, when an EAP/NEAP device is authenticated and an FA binding is received from the RADIUS server, a Switched UNI (S-UNI) is created.
After an EAP/NEAP client is disconnected, the switch cleans-up the binding associated with the client, if no other EAP/NEAP client on that port uses it.
EAP and FA can be enabled in any order; however, EAP must have Flex UNI enabled in order to function on an FA-enabled port.
FA clients that generate S-UNI bindings must be used with EAP MHSA mode, while FA clients that do not generate S-UNI bindings should be used with EAP MHMV mode.