Restrictions and guidelines: MAC authentication configuration

If the authentication server assigns both an authorization VSI and authorization VLAN to a user, the device uses only the authorization VLAN.

On a port, the guest VLAN and critical VLAN settings are mutually exclusive with the guest VSI and critical VSI settings.

For successful assignment of authorization VLANs or authorization VSIs, make sure the following requirements are met:

Do not change the link type of a port when the MAC authentication guest VLAN or critical VLAN on the port has users.

Features about the MAC authentication VSI manipulation are supported on both Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces. These features include MAC authentication, MAC authentication guest VSI, MAC authentication critical VSI, and the maximum number of concurrent MAC authentication users on a port. Other MAC authentication features are supported only on Layer 2 Ethernet interfaces.

After a Layer 2 Ethernet interface is added to an aggregation group, MAC authentication settings on the interface do not take effect.

Do not delete a Layer 2 aggregate interface if the interface has online MAC authentication users.

MAC authentication is mutually exclusive with service loopback groups.

If the MAC address that has failed authentication is a static MAC address or a MAC address that has passed any security authentication, the device does not mark the MAC address as a silent address.