Authentication override allows you to override port authentication using a profile-based attribute. If a port has an active policy and the authentication override is enabled, all frames arriving on that port have that policy applied, and no further authentication occurs. In addition, any pre-existing authenticated sessions on that port are removed. However, the action is reverted once the authentication override is disabled. Authentication override is disabled by default.
The ENTERASYS-POLICY-PROFILE-MIB is changed to support the policy profile-based port authentication override feature:
etsysPolicyProfilePortAuthOverride OBJECT-TYPE SYNTAX EnabledStatus MAX-ACCESS read-create STATUS current DESCRIPTION "If a port has an active policy and that policy's etsysPolicyProfilePortAuthOverride is set to enabled(1), all frames arriving on the port will have that policy applied. In addition, any pre-existing entries with matching port values in the etsysMultiAuthSessionStationTable tables will change their authorization status to authTerminated(5). No further authentication will occur on this port. If disabled(2), the actions described above will not occur." DEFVAL { disabled } ::= { etsysPolicyProfileEntry 21 } etsysPolicyClassification group supportsProfilePortAuthOverride(24) -- supports per profile port authentication -- override via etsysPolicyProfilePortAuthOverride
To configure authentication override, use the following command:
configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append | clear} {tci-overwrite tci_overwrite} {precedence [precedence | default]} {auth-override auth_override} {nsi [nsi | none]} {web-redirect web_redir_index} {access-list [unassigned | list_name | list_name_placeholder]}
Note
If authentication override is enabled, then static VLAN has to be configured rather than using the dynamic VLAN for the PVID.