Critical and Open Authentication
Devices that send voice traffic.
Devices that send data traffic.
Either one of open authentication VLAN (voice and/or data) or open authentication user-role can be configured for a port. However, both a VLAN and user-role cannot coexist for an interface. Initial traffic on the port is restricted only by ACLs configured for the port or for VLANs or ACLs in the user-role.
Impact of Open Authentication on existing features
- Unauthenticated devices
Configuring open authentication VLAN will change the behavior of unauthenticated devices. Normally, authentication-enabled ports will not provide unauthenticated client any network access until the device is authenticated by the RADIUS Server. With open authentication VLAN configured, the client will be put in open authentication VLAN until the RADIUS Server authenticates the device.
Unauthenticated clients will be placed into the VLAN specified in the open authentication command string. After authentication by the RADIUS server, the client will be placed into the VLAN specified by the RADIUS authentication command string or as specified in the RADIUS authentication accept string.
- LLDP-Bypass
When LLDP-bypass is enabled on the switch, Aruba APs are not authenticated therefore open authentication VLAN is not applicable.
- ACLs applied on an Interface
If an ACL rule is applied on an interface which is part of an open authentication VLAN, traffic coming through that interface will be affected. Traffic will be affected based on the rule in the ACL. For more information, see the Access Security Guide for your switch.
- ACLs applied on a VLAN
If an ACL rule is applied on an open authentication VLAN, traffic entering that VLAN will be affected. Traffic will be affected based on the rule in the ACL. For more information, see the Access Security Guide for your switch.
- Rate-limiting on an interface
If the traffic is rate-limited on an interface as part of an open authentication VLAN, the traffic will be impacted. The traffic will be affected based on the rule in the rate-limiting configuration command. For more information, see the Management and Configuration Guide for your switch.
- Authenticated or rejected clients
Clients which are either authenticated or rejected by the RADIUS server are given different VLANs. These clients are moved from open authentication to new VLANs based on authentication by the RADIUS Server.
- MAC pinning
Clients whose MAC addresses are pinned and have undergone authentication will always be treated as authenticated. Open authentication VLAN is not applicable in this scenario.
- Effect of RADIUS tracking on open authentication
If RADIUS tracking is enabled and no RADIUS server is available for authentication, the port will be changed from an open authentication VLAN to a critical VLAN. The time taken to move from open authentication VLAN to Critical VLAN depends on the time it takes for RADIUS tracker to inform the subsystem.
- Impact of disabling open authentication feature
When a device is in an open authentication VLAN and the open authentication feature is disabled at the switch, the device will be moved to the PVID. All tagged traffic to that device will be dropped while untagged traffic will be assigned to the PVID.
Restrictions
- This feature will not support more than one tagged or untagged VLAN membership either through direct VLAN configuration or through user-roles.
- This feature is not applicable for authentication methods other than mac-based.
- This feature is not available to be configured from WebUI, Menu, or REST.