(Optional) Configuring Re-authentication for Online MAC Address Authentication Users

Context

If the administrator modifies parameters such as access rights and authorization attributes of an online user on the authentication server, the user must be re-authenticated to ensure user validity.

If re-authentication is configured for online MAC address authentication users, the device sends saved authentication parameters of an online user to the authentication server for re-authentication. The device saves user authentication information after users go online. If the user authentication information on the authentication server remains unchanged, the user keeps online. If the information has been modified, the user is disconnected and needs to be re-authenticated.

MAC address authentication users who go online through a VLANIF interface do not support re-authentication.

If the device is connected to a server for re-authentication and the server replies with a re-authentication deny message that makes an online user go offline, it is recommended that you locate the cause of the re-authentication failure on the server or disable the re-authentication function on the device.

The device re-authenticates MAC address authentication users in the following modes:

The device periodically re-authenticates users using a specified MAC access profile.

After this function is configured, many MAC address authentication logs will be generated.
The device re-authenticates MAC address authentication users when receiving DHCP lease renewal packets from the users. This mode takes effect only after the device is configured to trigger MAC address authentication through DHCP packets.
The device is manually configured to re-authenticate a user with a specified MAC address once.

Procedure

Configuring periodic re-authentication
1. Run system-view
  The system view is displayed.
2. Run mac-access-profile name access-profile-name
  The MAC access profile view is displayed.
3. Run mac-authen reauthenticate
  Re-authentication is enabled for online MAC address authentication users.
  
  By default, re-authentication for online MAC address authentication users is disabled.
4. (Optional) Run mac-authen timer reauthenticate-period reauthenticate-period-value
  The re-authentication interval is configured for online MAC address authentication users.
  
  By default, the re-authentication interval is 1800 seconds for online MAC address authentication users.
  
  It is recommended that the re-authentication interval be set to the default value. If multiple ACLs need to be delivered during user authorization, you are advised to disable the re-authentication function or set a longer re-authentication interval to improve the device's processing performance.
  
  In remote authentication and authorization, if the re-authentication interval is set to a shorter time, the CPU usage may be higher.
  
  To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.
Configuring re-authentication triggered by DHCP lease renewal packets
1. Run system-view
  The system view is displayed.
2. Run mac-access-profile name access-profile-name
  The MAC access profile view is displayed.
3. Run mac-authen reauthenticate dhcp-renew
  The device is enabled to re-authenticate MAC address authentication users when receiving DHCP lease renewal packets from the users.
  
  By default, the device does not re-authenticate MAC address authentication users when receiving DHCP lease renewal packets from the users.
Configuring single-time re-authentication
1. Run system-view
  The system view is displayed.
2. Run mac-authen reauthenticate mac-address mac-address
  The device is manually configured to re-authenticate a user with a specified MAC address once.