Enabling the authorization-fail-offline feature
About the authorization-fail-offline feature
The authorization-fail-offline feature logs off port security users that fail ACL or user profile authorization.
A user fails ACL or user profile authorization in the following situations:
The device fails to authorize the specified ACL or user profile to the user.
The server assigns a nonexistent ACL or user profile to the user.
This feature does not apply to users that fail VLAN authorization. The device logs off these users directly.
You can also enable the quiet timer feature for 802.1X or MAC authentication users that are logged off by the authorization-fail-offline feature. The device adds these users to the 802.1X or MAC authentication quiet queue. Within the quiet timer, the device does not process packets from these users or authenticate them. If you do not enable the quiet timer feature, the device immediately authenticates these users upon receiving packets from them.
Prerequisites
For the quiet timer feature to take effect, complete the following tasks:
For 802.1X users, use the dot1x quiet-period command to enable the quiet timer and use the dot1x timer quiet-period command to set the timer.
For MAC authentication users, use the mac-authentication timer quiet command to set the quiet timer for MAC authentication.
Procedure
Enter system view.
system-view
Enable the authorization-fail-offline feature.
port-security authorization-fail offline [ quiet-period ]
By default, this feature is disabled, and the device does not log off users that fail ACL or user profile authorization.