topic N/S-Series MAC Authentication Failures will not Retry with Default Quietperiod in FAQs https://community.extremenetworks.com/t5/faqs/n-s-series-mac-authentication-failures-will-not-retry-with/m-p/46588#M405 Article ID: 12933 <BR /> <BR /> <B>Products</B><BR /> Matrix N-Series DFE<BR /> S-Series<BR /> <BR /> <B>Changes</B><BR /> Enabled MAC Authentication ('<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">set macauthentication...</PRE></DIV>', '<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">set radius...</PRE></DIV>', '<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">set multiauth...</PRE></DIV>').<BR /> Users on one or more ports have failed authentication, for any reason.<BR /> <BR /> <B>Symptoms</B><BR /> Authentication continues to fail for those users (= MACs), unless the failure is cleared from the port.<BR /> <BR /> <B>Cause</B><BR /> Failed authentications (rejects received from the RADIUS server) are treated differently than other types of failures (timeouts, resource issues, etc.). The macauthentication quiet period is the key here and is set to <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">0</PRE></DIV> by default. <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">0</PRE></DIV> indicates "wait forever regardless of the port state transitions". If you set the quiet period to some other value you will see the same MAC that previously failed try to auth again after that period.<BR /> <BR /> <B>Solution/Workaround</B><BR /> Functions as Designed (FAD).<BR /> <BR /> In operational networks, the quiet period is normally left at its default value. This is because machine-type authentications rarely fail, and when they do, there is usually a good reason - such as an unauthorized user attempting to gain network access.<BR /> <BR /> However, manipulation of this parameter can be helpful during MAC Authentication testing and deployment, to help speed up that process.<BR /> <BR /> To attempt <I>re</I>authentication on a port, after some period of time:<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">set macauthentication quietperiod</PRE></DIV> <BR /> <BR /> To clear a prior failure that has already occurred on the same port while <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">quietperiod=0</PRE></DIV>:<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">clear multiauth station port</PRE></DIV> <BR /> <BR /> See also: <A href="http://bit.ly/1q7gmjz" target="_blank" rel="nofollow noreferrer noopener">7664</A>. Mon, 15 Sep 2014 18:31:00 GMT FAQ_User 2014-09-15T18:31:00Z N/S-Series MAC Authentication Failures will not Retry with Default Quietperiod https://community.extremenetworks.com/t5/faqs/n-s-series-mac-authentication-failures-will-not-retry-with/m-p/46588#M405 Article ID: 12933 <BR /> <BR /> <B>Products</B><BR /> Matrix N-Series DFE<BR /> S-Series<BR /> <BR /> <B>Changes</B><BR /> Enabled MAC Authentication ('<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">set macauthentication...</PRE></DIV>', '<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">set radius...</PRE></DIV>', '<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">set multiauth...</PRE></DIV>').<BR /> Users on one or more ports have failed authentication, for any reason.<BR /> <BR /> <B>Symptoms</B><BR /> Authentication continues to fail for those users (= MACs), unless the failure is cleared from the port.<BR /> <BR /> <B>Cause</B><BR /> Failed authentications (rejects received from the RADIUS server) are treated differently than other types of failures (timeouts, resource issues, etc.). The macauthentication quiet period is the key here and is set to <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">0</PRE></DIV> by default. <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">0</PRE></DIV> indicates "wait forever regardless of the port state transitions". If you set the quiet period to some other value you will see the same MAC that previously failed try to auth again after that period.<BR /> <BR /> <B>Solution/Workaround</B><BR /> Functions as Designed (FAD).<BR /> <BR /> In operational networks, the quiet period is normally left at its default value. This is because machine-type authentications rarely fail, and when they do, there is usually a good reason - such as an unauthorized user attempting to gain network access.<BR /> <BR /> However, manipulation of this parameter can be helpful during MAC Authentication testing and deployment, to help speed up that process.<BR /> <BR /> To attempt <I>re</I>authentication on a port, after some period of time:<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">set macauthentication quietperiod</PRE></DIV> <BR /> <BR /> To clear a prior failure that has already occurred on the same port while <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">quietperiod=0</PRE></DIV>:<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">clear multiauth station port</PRE></DIV> <BR /> <BR /> See also: <A href="http://bit.ly/1q7gmjz" target="_blank" rel="nofollow noreferrer noopener">7664</A>. Mon, 15 Sep 2014 18:31:00 GMT https://community.extremenetworks.com/t5/faqs/n-s-series-mac-authentication-failures-will-not-retry-with/m-p/46588#M405 FAQ_User 2014-09-15T18:31:00Z