eapol-block
Syntax
eapol-block {
captive-portal;
mac-radius;
server-fail <seconds>;
}
Hierarchy Level
[edit logical-systems name protocols dot1x authenticator interface (all | interface-names)], [edit logical-systems name protocols dot1x authenticator interface (all | interface-names) (server-reject-bridge-domain | server-reject-vlan)], [edit protocols dot1x authenticator interface (all | interface-names)], [edit protocols dot1x authenticator interface (all | interface-names) (server-reject-bridge-domain | server-reject-vlan)]
Description
Enable the device to ignore Extensible Authentication
Protocol over LAN (EAPoL)-Start messages received from a client that
has been authenticated so that the device does not trigger re-authentication.
The device typically attempts to restart the authentication procedure
by contacting the authentication server when it receives an EAPoL-Start
message from a client—even for authenticated clients. You can
configure the eapol-block statement to help prevent unnecessary
downtime that can occur when the device waits for a response from
the authentication server.
If you configure the device to block EAPoL-Start messages, when the device receives an EAPoL-Start message from an authenticated client, the device ignores the message and does not attempt to contact the authentication server for reauthentication. The existing authentication session that was established for the client remains open.
The EAPoL-Start messages are blocked only if the client is in the authenticated state. EAPoL-Start messages from new clients are accepted.
Default
If the eapol-block statement is not configured,
the device attempts to contact the authentication server to authenticate
the client when it receives an EAPoL-Start message.
Options
captive-portal |
Configure the device to ignore EAPoL-Start messages received from a client that has been authenticated using captive portal authentication. |
mac-radius |
Configure the device to ignore EAPoL-Start messages received from
a client that has been authenticated using MAC RADIUS authentication.
The |
server-fail <seconds> |
Configure the device to ignore EAPoL-Start messages received from a client that has been authenticated using server fail fallback or server reject VLAN methods. Optionally, configure the time interval, in seconds, during which the device will not attempt to contact the authentication server to re-authenticate a client that has already been authenticated using server fail fallback. |
Default: 120 seconds.
Range: 120 through 65,535 seconds.
Required Privilege Level
routing—To view this statement in the configuration.routing-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 11.2.
Support at the [edit protocols dot1x authenticator interface interface-name] hierarchy level introduced in Junos
OS Releases 14.1X53-D40 and 15.1X53-D51 for EX Series switches.
captive-portal and mac-radius introduced
in Junos OS Release 17.2R1.