6.2.2 Terminal detection operation switching option
If there are no authenticated terminals, the Switch multicasts EAP-Request/Identity at the interval specified by tx-period command. This is to detect the unauthenticated terminals. When the authentication submode is terminal authentication mode, the authenticated terminal and the pre-authentication terminal are mixed. Therefore, even if an authenticated terminal exists, the terminal must be detected. However, when EAP-Request/Identity are multicast, authenticated terminals are also received, causing re-authentication of authenticated terminals.
In the Switch, you can select the terminal detection operation from four methods only in the terminal authentication mode. Understand the characteristics of each method and select the appropriate terminal detection behavior. Terminal detect operation can be specified by dot1x supplicant-detection commandI can do it. If not specified, shortcut is used. Request/Identity multicast sent by the Switch is a Untagged frame. When a trunk port is used as an authentication port, Request/Identity multicasts cannot be sent to an authentication terminal that belongs to a VLAN other than the native VLAN. Therefore, use dot1x supplicant-detection command. Set auto.
The operation of each method is described below.
- <Structure of this section>
(1) auto
Do not multicast EAP-Request/Identity. The pre-authentication terminal is detected by receiving any frame sent by the pre-authentication terminal, and authentication starts.
With this method, EAP-Request/Identity does not reach the authenticated terminal, so there is no burden of reauthenticating the authenticated terminal. This method is recommended because there is no problem with detection or load.
The following figure shows EAP-Request/Identity sequencing when a auto is specified.
|
|
![[Figure Data]](./GRAPHICS/ZU203091.GIF)
(2) disable
If an authenticated terminal exists, EAP-Request/Identity is not multicast. The pre-authentication terminal is detected by receiving EAPOL-Start sent by the pre-authentication terminal, and authentication starts.
For this reason, if you use Supplicant softwarethat does not autonomously send EAPOL-Start, the pre-authentication terminal cannot be detected. In such cases, either set EAPOL-Start to be sent to Supplicant or specify auto for the terminal discovery operation of the Switch.
With this method, EAP-Request/Identity does not reach the authenticated terminal, so there is no need to re-authenticate the authenticated terminal.
The following figure shows EAP-Request/Identity sequencing when a disable is specified.
|
|
![[Figure Data]](./GRAPHICS/ZU203092.GIF)
(3) full
Multicast EAP-Request/Identity is sent even when authenticated terminals exist. The pre-authentication terminal starts authentication by receiving and responding to this frame.
The authenticated terminal also starts re-authentication by receiving this frame. In this method, if the authenticated terminal starts re-authentication, the authentication sequence is not omitted.
Because authenticated terminals regularly re-authenticate, the load is proportional to the number of terminals. To avoid the impact of the load, limit the number of terminals per authentication unit to 20 or less.
The following figure shows EAP-Request/Identity sequencing when a full is specified.
|
|
![[Figure Data]](./GRAPHICS/ZU203093.GIF)
(4) shortcut
Multicast EAP-Request/Identity is sent even when authenticated terminals exist. The pre-authentication terminal starts authentication by receiving and responding to this frame.
The authenticated terminal also starts re-authentication by receiving this frame. In this method, when an authenticated terminal starts re-authentication, the workload is reduced by omitting the authentication sequence and sending EAP-Success immediately.
However, some Supplicant softwares consider the action of sending a EAP-Success immediately to be an authenticationfailure. As a result, communication may be interrupted immediately after authentication, communication may be interrupted within a few minutes to several minutes after authentication, or the load may increase by repeated re-authentication.
The following figure shows EAP-Request/Identity sequencing when a shortcut is specified.
|
|
![[Figure Data]](./GRAPHICS/ZU203094.GIF)