authentication mac-move enable

Usage Scenario

After a user is authenticated and accesses the network from one interface of the device, the network cable is pulled out from the interface and plugged in another interface on the device. In this case, the user cannot immediately initiate authentication and access the network. The user can initiate authentication on the current interface only after the user offline detection interval expires or the authentication interface is manually enabled and shut down to clear user online entries. To improve user experience, MAC address migration is enabled so that the user can immediately initiate authentication and access the network after be switched to another access interface.

MAC address migration allows online NAC authentication users to immediately initiate authentication and access the network after they are switched to other access interfaces. If the user is authenticated successfully on the new interface, the online user entry on the original interface is deleted immediately to ensure that only one interface records the online user entry.

In addition, VLANs need to be specified for users in MAC address migration. The VLANs before and after the migration can be specified for the users, and they can be the same or different.

Precautions

• In normal case, enabling MAC address migration is not recommended. It should be enabled only when users have migration requirements during roaming. This prevents unauthorized users from forging MAC addresses of online users and sending ARP, 802.1X, or DHCP packets on other authentication control interfaces to trigger the MAC address migration function and force authorized user offline.

• In the Policy Association and SVF scenario, the device does not support MAC address migration.
• In the Layer 2 BNG scenario, the device does not support MAC address migration.
• Cascading migration through intermediate devices is not supported, because ARP and DHCP packets are not sent after the cascading migration.
• The device does not support MAC address migration for a terminal with one MAC address and multiple IP addresses.
• MAC address migration is not supported for Layer 3 Portal authentication users.
• A user is switched from an interface configured with NAC authentication to another interface not configured with NAC authentication. In this case, the user can access the network only after the original online entry is aged because the new interface cannot send authentication packets to trigger MAC migration.
• In common mode, Portal authentication is triggered only after users who go online through a VLANIF interface send ARP packets and go offline; otherwise, the users can go online again only after the original user online entries age out. Portal authentication cannot be triggered after users who go online through physical interfaces migrate. The users can go online again only after the original user online entries age out.
• After a user who goes online from a VLANIF interface is quieted because of multiple MAC address migrations, MAC address migration can be performed for the quieted user only after the quiet period expires and the ARP entry is aged out.
• When an authorized VLAN is specified in the authentication mac-move enable vlan command, you are advised to enable the function of detecting the user status before user MAC address migration.