Configuring MAC pinning
MAC pinning allows administrators to persist authenticated clients by disabling the logoff period associated with the client. The feature is available for clients that use MAC Auth or Local MAC Authentication. During port-flaps and switch reboot, the pinned authenticated client entries will be de-authenticated until those clients reauthenticate.
MAC pinning is disabled by default and can be enabled on a per-port basis or enabled on range of ports. The primary use case for using MAC pinning is for legacy devices such as printers or medical devices that remain silent on the network resulting in de-authentication of those clients.
Restrictions
-
This feature is mutually exclusive with port-security learn-mode configurations. Learn-mode can only be set as "continuous" when MAC pinning is enabled on LMA or MAC-based port. If MAC pinning is enabled, port-securities learn mode can be set to" continuous" and" port-access".
-
MAC pinning is mutually exclusive with port-security learn-mode configurations. When MAC pinning is enabled, port-security learn-mode configurations must be set as "continuous".
Configuration use cases
-
When a client enables LMA with MAC pinning and 802.1x authentication on a port, the MAC address is pinned. If that client tries to authenticate through the 802.1x authentication method, MAC pinning will not function. When MAC pinning does not function, the client must de-authenticated from LMA and reauthenticated through 802.1x which will then take precedence over LMA authentication. The client must check the concurrent auth with the default logoff period of 300 sec.
-
When a client enables LMA with MAC-pinning and MAC-based authentication on a port, the MAC-address is pinned through the LMA authentication. If that same client tries to authentication through MAC-based authentication, the LMA authentication takes precedence. No MAC-based authentication clients will be added and MAC-pinning will stay in effect.
-
When a client enables LMA with MAC pinning and 802.1x authentication on a port with a logoff period, the client is authenticated through LMA and the MAC address is pinned. The client is then authenticated through both LMA and 802.1x. Once the 802.1x authentication completes, the client must de-authenticate from LMA. The client then configures the logoff period and checks the concurrent Auth between LMA and Dot1x.
-
When LMA with MAC pinning has been enabled on a port and the eport is powered down, or power cycles, the client is de-authenticated. When the port is powered up, the client will be re-authenticated when reachable.
-
If MAC pinning is disabled on a port, the clients are subjected to log off period behavior when the client is removed from the port.