Exclusions and Limitations

The following are limitations and exclusions for network login:

  • When using NetLogin MAC-based VLAN (Virtual LAN) mode, moving a port as untagged from a pre-authentication VLAN to a post-authentication VLAN is not supported when both VLANs are configured with Protocol Filter IP.
  • All unauthenticated MACs will be seeing broadcasts and multicasts sent to the port if even a single MAC is authenticated on that port.

  • Network login must be disabled on a port before that port can be deleted from a VLAN.

  • In Campus mode on all switches with untagged VLANs and the network login ports' mode configured as port-based-VLAN, after the port moves to the destination VLAN, the original VLAN for that port is not displayed.

  • A network login VLAN port should not be a part of following protocols:
  • Network login and STP (Spanning Tree Protocol) operate on the same port as follows:
    • At least one VLAN on the intended port should be configured both for network login and STP.

    • When STP blocks a port, network login does not process authentication requests and BPDUs are the only traffic in and out of the port. All user data forwarding stops.

    • When STP places a port in forwarding state, network login operates and BPDUs and user data flow in and out of the port. The forwarding state is the only STP state that allows network login and user data forwarding.

    • If a network login client is authenticated in ISP mode and STP blocks one of the authenticated VLANS on a given port, the client is unauthenticated only from the port or VLAN which is blocked.

    • All clients that are going through authentication and are learned on a blocked port or VLAN are cleared.

    Note

    Note

    When STP with edge-safeguard and network login feature is enabled on the same port, the port goes into the disabled state after detecting a loop in the network. NetLogin campus mode and STP can be configured together on a port with the autobind feature.
  • The maximum re-authentication period configured using CLI commands is 86,400 seconds for MAC and Dot1x authentication methods. There is no limitation for the re-authentication period (session timeout) sent using RADIUS server for Netlogin authentication.
  • When in non-policy mode, NetLogin is not supported on user VRs. It is supported only on VR-default.
    Enabling NetLogin on ports that are not part of VR-default produces the following error
    WARNING: Ports that are not part of the current Virtual Router were ignored. 
  • When in policy mode, system-wide, only one NetLogin base VLAN can be configured and this VLAN can be part of any VR.
  • If you want to scale to 65,000 authenticated users, use a session timeout value of at least 300 minutes.
  • NetLogin is not supported on user VRs in non-policy mode. NetLogin is supported only on VR-Default in non-policy mode.