Switch Features 61• Dynamic ARP Inspection: By default, if Dynamic ARP Inspection packetsare received on a port at a rate that exceeds 15 pps for 1 second, the portwill be diagnostically disabled. The threshold is configurable up to 300 ppsand the burst is configurable up to 15s long using the ip arpinspection limit command.A port that is diagnostically disabled due to exceeding one of the above limitsmay be returned to service using the no shut command.Captive PortalThe Captive Portal feature blocks clients from accessing the network untiluser verification has been established. When a user attempts to connect tothe network through the switch, the user is presented with a customized Webpage that might contain username and password fields or the acceptable usepolicy. You can require users to be authenticated by a local or remote RADIUSdatabase before access is granted.For information about configuring the Captive Portal features, see"Configuring Captive Portal" on page 419.Dot1x Authentication (IEEE 802.1X)Dot1x authentication enables the authentication of system users through alocal internal server or an external server. Only authenticated and approvedsystem users can transmit and receive data. Supplicants are authenticatedusing the Extensible Authentication Protocol (EAP). PEAP, EAP-TTL, EAP-TTLS, and EAP-TLS are supported for remote authentication servers. Local(IAS) authentication supports EAP-MD5 only.For information about configuring IEEE 802.1X settings, see "ConfiguringPort and System Security" on page 481.MAC-Based 802.1X AuthenticationMAC-based authentication allows multiple supplicants connected to thesame port to each authenticate individually. For example, a system attachedto the port might be required to authenticate in order to gain access to thenetwork, while a VoIP phone might not need to authenticate in order to sendvoice traffic through the port.For information about configuring MAC-based 802.1X authentication, see"Configuring Port and System Security" on page 481.