Pre-Connection

After the pre-connection function is enabled, users enter the pre-connection state before the authentication succeeds and after the authentication fails. You can configure network access permissions granted to users in pre-connection state. Otherwise, these users have no network access permission.

The access device deletes an existing user entry if ARP probe detects that the user is offline or the physical link is Down for more than T seconds. If the access device has a user entry that is not aged out when the client is connected, no pre-connection log is generated. If a user fails to be authenticated for the first time, the user stays in the pre-connection state until the user goes offline. The following assumes that no user entry exists on the access device before the client is connected and describes the pre-connection mechanism state upon a re-authentication failure.

When a client is directly connected to an access device, the interfaces of the client and the access device go Down after the client is shut down. When a client is connected to the access device through an IP phone, the interface of the access device connected to the IP phone does not go Down after the client is shut down. The following describes pre-connection log generation in those scenarios. Assume that an interface link is faulty, the user logout delay is T seconds, and user's ARP probe ends within T seconds.

Direct Connection Between the Client and the Access Device

Figure 1 Direct connection between the client and the access device

1. After being started, the client sends any packet to and establishes a pre-connection with the access device. The access device then generates a pre-connection log.
2. The access device performs 802.1X authentication for the user. After the user passes the authentication, the access device generates an authentication success log.
3. The access device periodically re-authenticates the user and generates an authentication success log each time the user passes re-authentication.
4. After the client is shut down, the interface of the client goes Down, and the interface of the access device goes Down after T seconds. If the (N+1)th re-authentication is performed for the user within the T-second delay, user authentication fails and the access device generates a pre-connection log. Otherwise, the (N+1)th re-authentication is not performed after the interface goes Down.
5. After ARP probe fails, the user goes offline.

Non-direct Connection Between the Client and the Access Device

Figure 2 Non-direct connection between the client and the access device

1. After being started, the client sends any packet to and establishes a pre-connection with the access device. The access device then generates a pre-connection log.
2. The access device performs 802.1X authentication for the user. After the user passes the authentication, the access device generates an authentication success log.
3. The access device periodically re-authenticates the user and generates an authentication success log each time the user passes re-authentication.
4. After the client is shut down, the interface of the access device sends packets normally because the interface is connected to an IP phone. If the (N+1)th re-authentication is performed for the user before ARP probe fails, user authentication fails and the device generates a pre-connection log. Otherwise, the user goes offline after ARP probe fails and the (N+1)th re-authentication is not performed.
5. After ARP probe fails, the user goes offline.