Configuring MAC pinning
MAC pinning allows administrators to persist authenticated clients by disabling the logoff period associated with the client. The feature is available for clients that use MAC Auth or Local MAC Authentication. During port-flaps and switch reboot, the pinned authenticated client entries will be de-authenticated until those clients reauthenticate.
MAC pinning is disabled by default and can be enabled on a per-port basis or enabled on range of ports. The primary use case for using MAC pinning is for legacy devices such as printers or medical devices that remain silent on the network resulting in de-authentication of those clients.
Restrictions
This feature is mutually exclusive with port-security learn-mode configurations. Learn-mode can only be set as "continuous" when MAC pinning is enabled on LMA or MAC-based port. If MAC pinning is enabled, port-securities learn mode can be set to" continuous" and" port-access".
MAC pinning is mutually exclusive with port-security learn-mode configurations. When MAC pinning is enabled, port-security learn-mode configurations must be set as "continuous".
Configuration use cases
When a client enables LMA with MAC pinning and 802.1x authentication on a port, the MAC address is pinned. If that client tries to authenticate through the 802.1x authentication method, MAC pinning will not function. When MAC pinning is nonfunctional, the client is de-authenticated from LMA and reauthenticated through 802.1x which takes precedence over LMA authentication. The client must check the concurrent auth with the default logoff period of 300 sec.
When a client enables LMA with MAC-pinning and MAC-based authentication on a port, the MAC-address is pinned through the LMA authentication. If that same client tries to authentication through MAC-based authentication, the LMA authentication takes precedence. No MAC-based authentication clients will be added and MAC-pinning will stay in effect.
When a client enables LMA with MAC pinning and 802.1x authentication on a port with a logoff period, the client is authenticated through LMA and the MAC address is pinned. The client is then authenticated through both LMA and 802.1x. Once the 802.1x authentication completes, the client must de-authenticate from LMA. The client then configures the logoff period and checks the concurrent Auth between LMA and Dot1x.
When LMA with MAC pinning has been enabled on a port and the port is powered down, or power cycles, the client is de-authenticated. When the port is powered up, the client will be reauthenticated when reachable.
If MAC pinning is disabled on a port, the clients are subjected to log off period behavior when the client is removed from the port.
The
Disconnect-Request
message from the RADIUS server is applied to all the clients whose MAC addresses are pinned. The clients will be disconnected as per RFC 3576.The
reauth-period
configuration is applicable for the clients whose MAC addresses are pinned. Uponreauth-period
expiry, the client will be reauthenticated. If the reauthentication is successful, then the client continues as authenticated client. If the server is not reachable, or reauthentication fails, then the client is removed from the authenticated client list.