Enabling parallel processing of MAC authentication and 802.1X authentication
About parallel processing of MAC authentication and 802.1X authentication
This feature enables a port that processes MAC authentication after 802.1X authentication is finished to process MAC authentication in parallel with 802.1X authentication.
Make sure the port meets the following requirements:
The port is configured with both 802.1X authentication and MAC authentication and performs MAC-based access control for 802.1X authentication.
The port is enabled with the 802.1X unicast trigger.
When the port receives a packet from an unknown MAC address, it sends a unicast EAP-Request/Identity packet to the MAC address. After that, the port immediately processes MAC authentication without waiting for the 802.1X authentication result.
After MAC authentication succeeds, the port is assigned to the MAC authentication authorization VLAN.
If 802.1X authentication fails, the MAC authentication result takes effect.
If 802.1X authentication succeeds, the device handles the port and the MAC address based on the 802.1X authentication result.
The process sequence of 802.1X authentication and MAC authentication is configurable in other ways. For the port to perform MAC authentication before it is assigned to the 802.1X guest VLAN or guest VSI, enable new MAC-triggered 802.1X guest VLAN or VSI assignment delay. For information about new MAC-triggered 802.1X guest VLAN or VSI assignment delay, see "Configuring 802.1X."
Restrictions and guidelines
To configure both 802.1X authentication and MAC authentication on the port, use one of the following methods:
Enable the 802.1X and MAC authentication features separately on the port.
Enable port security on the port. The port security mode must be userlogin-secure-or-mac or userlogin-secure-or-mac-ext.
For information about port security mode configuration, see "Configuring port security."
For the parallel processing feature to work correctly, do not enable MAC authentication delay on the port. This operation will delay MAC authentication after 802.1X authentication is triggered.
Procedure
Enter system view.
system-view
Enter interface view.
interface interface-type interface-number
Enable parallel processing of MAC authentication and 802.1X authentication on the port.
mac-authentication parallel-with-dot1x
By default, this feature is disabled.