BigIron RX Series Configuration Guide 92353-1001986-01Configuring multi-device port authentication 31If a previous authentication attempt for a MAC address failed, and as a result the port was placedin the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUSAccess-Accept message may specify a VLAN for the port. By default, the device moves the port outof the restricted VLAN and into the RADIUS-specified VLAN. You can optionally configure the deviceto ignore the RADIUS-specified VLAN in the RADIUS Access-Accept message, and leave the port inthe restricted VLAN.To do this, enter the following command.BigIron RX(config)# mac-authentication no-override-restrict-vlanSyntax: [no] mac-authentication no-override-restrict-vlanNotes:• For untagged ports, if the VLAN ID provided by the RADIUS server is valid, then the port isremoved from its current VLAN and moved to the RADIUS-specified VLAN as an untagged port.• If you configure dynamic VLAN assignment on a multi-device port authentication enabledinterface, and the Access-Accept message returned by the RADIUS server does not contain aTunnel-Private-Group-ID attribute, then it is considered an authentication failure, and theconfigured authentication failure action is performed for the MAC address.• If the string does not match either the name or the ID of a VLAN configured onthe device, then it is considered an authentication failure, and the configured authenticationfailure action is performed for the MAC address.• If an untagged port had previously been assigned to a VLAN though dynamic VLAN assignment,and then another MAC address is authenticated on the same port, but the RADIUSAccess-Accept message for the second MAC address specifies a different VLAN, then it isconsidered an authentication failure for the second MAC address, and the configuredauthentication failure action is performed. Note that this applies only if the first MAC addresshas not yet aged out. If the first MAC address has aged out, then dynamic VLAN assignmentwould work as expected for the second MAC address.Specifying to which VLAN a port is moved after itsRADIUS-specified VLAN assignment expiresWhen a port is dynamically assigned to a VLAN through the authentication of a MAC address, andthe MAC session for that address is deleted on the device, then by default the port is removed fromits RADIUS-assigned VLAN and placed back in the VLAN where it was originally assigned.A port can be removed from its RADIUS-assigned VLAN when any of the following occur:• The link goes down for the port• The MAC session is manually deleted with the mac-authentication clear-mac-sessioncommand• The MAC address that caused the port to be dynamically assigned to a VLAN ages outFor example, say port 1/1 is currently in VLAN 100, to which it was assigned when MAC address0007.eaa1.e90f was authenticated by a RADIUS server. The port was originally configured to be inVLAN 111. If the MAC session for address 0007.eaa1.e90f is deleted, then port 1/1 is moved fromVLAN 100 back into VLAN 111.You can optionally specify an alternate VLAN to which to move the port when the MAC session forthe address is deleted. For example, to place the port in the restricted VLAN, enter commands suchas the following.