Restrictions and guidelines: MAC authentication configuration
If the authentication server assigns both an authorization VSI and authorization VLAN to a user, the device uses only the authorization VLAN.
On a port, the guest VLAN and critical VLAN settings are mutually exclusive with the guest VSI and critical VSI settings.
For successful assignment of authorization VLANs or authorization VSIs, make sure the following requirements are met:
If the MAC authentication-enabled port is configured with the guest VLAN and critical VLAN, configure the authentication server to assign authorization VLANs to MAC authentication users.
If the MAC authentication-enabled port is configured with the guest VSI and critical VSI, configure the authentication server to assign authorization VSIs to MAC authentication users.
Do not change the link type of a port when the MAC authentication guest VLAN or critical VLAN on the port has users.
Features about the MAC authentication VSI manipulation are supported on both Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces. These features include MAC authentication, MAC authentication guest VSI, MAC authentication critical VSI, and the maximum number of concurrent MAC authentication users on a port. Other MAC authentication features are supported only on Layer 2 Ethernet interfaces.
After a Layer 2 Ethernet interface is added to an aggregation group, MAC authentication settings on the interface do not take effect.
Do not delete a Layer 2 aggregate interface if the interface has online MAC authentication users.
MAC authentication is mutually exclusive with service loopback groups.
You cannot enable MAC authentication on a port already in a service loopback group.
You cannot add a MAC authentication-enabled port to a service loopback group.
If the MAC address that has failed authentication is a static MAC address or a MAC address that has passed any security authentication, the device does not mark the MAC address as a silent address.