The default VM authentication configuration uses all three methods in the following sequence: NMS server (first choice), network based VMMAP file (second choice), and finally, local database. If a service is not available, the switch tries the next authentication service in the sequence.
When an Access-Accept packet is received with an NVPP specified, the policies are applied on VM enabled port.
When an Access-Accept packet is received and no NVPP is specified, the port is authenticated and no policy is applied to the port.
When an Access-Reject packet is received, the port is unauthenticated and no policy is applied.
When an Access-Reject packet indicates that the NMS server timed-out or is not reachable, the switch tries to authenticate the VM MAC address based on the next authentication method configured, which can be either network authentication or local authentication.
VM IP address
VPP configured for the VM
An Access-Reject packet contains no VSA.
If network (VMMAP) authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch uses the VMMAP file to authenticate the VM and applies the appropriate VPP.
If local authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch uses the local database to authenticate the VM and apply the appropriate VPP.
If all configured authentication methods fail, EMS messages are logged and no VPP is applied.
Each VM MAC must be unique. If duplicate MAC addresses are detected on the switch, whether on the same VLAN or different VLANs, the switch supports only the last MAC detected.