The authentication open command enables the NAC open function.
The undo authentication open command disables the NAC open function.
By default, the NAC open function is disabled on an interface.
In the system view:
authentication open interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
undo authentication open interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
In the interface view:
authentication open
undo authentication open
Parameter |
Description |
Value |
|---|---|---|
interface { interface-type interface-number1 [ to interface-number2 ] } |
Specifies the interface type and number.
|
- |
System view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view
Usage Scenario
After a new NAC network is set up, the network administrator should pay attention to the number of potential access users and authentication method but does not need to control user access, because the administrator needs to configure user names, passwords, and authorization information on the authentication server. After 802.1X or MAC address authentication is configured on the access device, only authenticated users can access the network, so the administrator cannot obtain information about the users who do not have user names and passwords on the authentication server.
The NAC open function allows the users who failed in authentication to access the network.
Precautions
The NAC open function is only applied to 802.1X and MAC address authentication.
The NAC open function is only applied to RADIUS remote authentication.
The NAC open function is valid only when the MAC address-based mode is used as the access control mode of the interface. After this function is enabled, users can be added to VLANs except a guest VLAN after they log in.
After NAC open is enabled on an interface and fixed user names are used for MAC address authentication, the users on the interface are allowed to access the network even if they have used incorrect user names or passwords.