authentication pre-authen-access enable

Usage Scenario

When a user terminal connects to an NAC-enabled interface on the device, a pre-connection is set up between the terminal and device. If the device is not configured to grant network access rights to users in pre-connection or authentication failure state, users who fail to be authenticated remain in the pre-connection state by default. Because the device allows DHCP packets from pre-connection users to pass through, the users can still obtain IP addresses although they do not have any network access rights, wasting IP addresses and bringing network security risks.

You can run the undo authentication pre-authen-access enable command to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state. This configuration ensures that the users cannot obtain IP addresses.

Precautions

• This function does not take effect for users who use Portal authentication or combined authentication (including Portal authentication).
• The undo authentication pre-authen-access enable command does not take effect for pre-connection users for whom network access permissions are configured.
• To use VLAN-based authorization (excluding authentication of pre-connection users), run the undo authentication pre-authen-access enable command to disable the pre-connection function first.
• When 802.1X authentication or MAC authentication is configured on a physical interface, the free-rule command configuration will not take effect after the pre-connection function is disabled.
• If the device connects to some terminals such as a MacBook laptop that is not authenticated after obtaining an IP address, it is recommended that you run the undo authentication pre-authen-access enable command on the device to disable the pre-connection function and then connect the terminal to the network again.
• If a user in pre-connection state attempts to go online using DHCP packets containing the Option 82 field but fails to go online, it is recommended that you run the undo authentication pre-authen-access enable command on the device to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state.
• When Layer 2 Portal authentication is deployed on a non-gateway device, do not run the undo authentication pre-authen-access enable command to disable the pre-connection function. Otherwise, Layer 2 Portal authentication will not take effect.