MAC-Based Authentication Delay

Prior to ExtremeXOS 21.1, the default behavior was to authenticate the client with all enabled authentication methods on that port for backward compatibility. To delay MAC authentication the user must configure the MAC authentication delay period using the CLI. The MAC authentication delay period‘s default value is 0 seconds for backward compatibility. The MAC authentication delay period configurable range is 0 to 120 seconds.

The following example explains both the pre-ExtremeXOS 21.1 behavior and the added MAC Authentication Delay feature:

Assume MAC, dot1X and Web-based authentication methods are enabled on a port. When the client is connected to the port the first packet from the client triggers ExtremeXOS to do MAC authentication, authenticates the client using RADIUS, and applies the action. When the user “Adam” tries to do the dot1X authentication, ExtremeXOS triggers the dot1X authentication, authenticates “Adam” using RADIUS, and applies the high preferred authentication method‘s action. If dot1x authentication is configured as preferred over MAC authentication, then the MAC authentication action is unapplied and the dot1X authentication action is applied. In this case the switch authenticates the client using both MAC and dot1x authentication method. This is the existing behavior in which the MAC authentication delay interval is 0 second.

If the customer requirement is to delay/bypass the MAC authentication then the the MAC authentication delay period must be configured on a per port basis. In this case, the moment ExtremeXOS detects the first packet from the client connected port it will wait for the MAC authentication delay period for other authentication methods to be triggered to authenticate the client. In this case the user “Adam” will do dot1X authentication to authenticate himself. The time ExtemeXOS waits for the dot1X authentication to trigger is termed as MAC authentication delay period and it is user configurable.