Authentication Override

Authentication override allows you to override port authentication using a profile-based attribute. If a port has an active policy and the authentication override is enabled, all frames arriving on that port have that policy applied, and no further authentication occurs. In addition, any pre-existing authenticated sessions on that port are removed. However, the action is reverted once the authentication override is disabled. Authentication override is disabled by default.

The ENTERASYS-POLICY-PROFILE-MIB is changed to support the policy profile-based port authentication override feature:

etsysPolicyProfilePortAuthOverride OBJECT-TYPE
      SYNTAX      EnabledStatus
      MAX-ACCESS  read-create
      STATUS      current
            "If a port has an active policy and that policy's etsysPolicyProfilePortAuthOverride is set to enabled(1),
            all frames arriving on the port will have that policy applied. In addition, any pre-existing entries with matching 
            port values in the etsysMultiAuthSessionStationTable tables will change their authorization status to 
            authTerminated(5).  No further authentication will occur on this port.
            If disabled(2), the actions described above will not occur."
      DEFVAL { disabled }
      ::= { etsysPolicyProfileEntry 21 }

etsysPolicyClassification group        
               -- supports per profile port authentication 
            -- override via etsysPolicyProfilePortAuthOverride

To configure authentication override, use the following command:

configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append | clear} {tci-overwrite tci_overwrite} {precedence [precedence | default]} {auth-override auth_override} {nsi [nsi | none]} {web-redirect web_redir_index} {access-list [unassigned | list_name | list_name_placeholder]}



If authentication override is enabled, then static VLAN has to be configured rather than using the dynamic VLAN for the PVID.