6.2.2 Terminal detection operation switching option

If there are no authenticated terminals, the Switch multicasts EAP-Request/Identity at the interval specified by tx-period command. This is to detect the unauthenticated terminals. When the authentication submode is terminal authentication mode, the authenticated terminal and the pre-authentication terminal are mixed. Therefore, even if an authenticated terminal exists, the terminal must be detected. However, when EAP-Request/Identity are multicast, authenticated terminals are also received, causing re-authentication of authenticated terminals.

In the Switch, you can select from four methods of terminal detection operation when an authenticated terminal exists only in the terminal authentication mode. Understand the characteristics of each method and select the appropriate terminal detection behavior. Note that the terminal detect operation can be specified with supplicant-detection commandI will. If not specified, shortcut is used.

This section explains the operation of each method.

<Structure of this section>

(1) auto

If an authenticated terminal exists, EAP-Request/Identity is not multicast. The pre-authentication terminal is detected by receiving any frame sent by the pre-authentication terminal, and authentication starts.

With this method, EAP-Request/Identity does not reach the authenticated terminal, so there is no burden of reauthenticating the authenticated terminal. This method is recommended because there is no problem with detection or load.

Terminals connected to a channel group cannot be detected by receiving any frame. When this happens, only EAPOL-Start sent by the unauthenticated terminal is received at the same time as disable. If a terminal cannot be connected to a channel group and EAPOL-Start can not be sent to Supplicant, specify full or shortcut for the terminal detecting operation of the Switch.

The following figure shows EAP-Request/Identity sequencing when a auto is specified.

Figure 6-10: Sequencing EAP-Request/Identity with auto

(2) disable

If an authenticated terminal exists, EAP-Request/Identity is not multicast. The pre-authentication terminal is detected by receiving EAPOL-Start sent by the pre-authentication terminal, and authentication starts.

For this reason, if you use Supplicant softwarethat does not autonomously send EAPOL-Start, the pre-authentication terminal cannot be detected. In such cases, either set EAPOL-Start to be sent to Supplicant or specify auto for the terminal discovery operation of the Switch.

With this method, EAP-Request/Identity does not reach the authenticated terminal, so there is no need to re-authenticate the authenticated terminal.

The following figure shows EAP-Request/Identity sequencing when a disable is specified.

Figure 6-11: Sequencing EAP-Request/Identity with disable

(3) full

Multicast EAP-Request/Identity is sent even when authenticated terminals exist. The pre-authentication terminal starts authentication by receiving and responding to this frame.

The authenticated terminal also starts re-authentication by receiving this frame. In this method, if the authenticated terminal starts re-authentication, the authentication sequence is not omitted.

Because authenticated terminals regularly re-authenticate, the load is proportional to the number of terminals. To avoid the impact of the load, limit the number of terminals per authentication unit to 20 or less.

The following figure shows EAP-Request/Identity sequencing when a full is specified.

Figure 6-12: Sequencing EAP-Request/Identity with full

(4) shortcut

Multicast EAP-Request/Identity is sent even when authenticated terminals exist. The pre-authentication terminal starts authentication by receiving and responding to this frame.

The authenticated terminal also starts re-authentication by receiving this frame. In this method, when an authenticated terminal starts re-authentication, the workload is reduced by omitting the authentication sequence and sending EAP-Success immediately.

However, some Supplicant softwares consider the action of sending a EAP-Success immediately to be an authenticationfailure. As a result, communication may be interrupted immediately after authentication, communication may be interrupted within a few minutes to several minutes after authentication, or the load may increase by repeated re-authentication.

The following figure shows EAP-Request/Identity sequencing when a shortcut is specified.

Figure 6-13: Sequencing EAP-Request/Identity with shortcut (defaults)