Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

eapol-block

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 11.2 for EX Series switches.

Statement introduced in Junos OS Release 14.1X53-D30 for the QFX Series.

Support at the [edit protocols dot1x authenticator interface interface-name] hierarchy level introduced in Junos OS Releases 14.1X53-D40 and 15.1X53-D51 for EX Series switches.

captive-portal and mac-radius introduced in Junos OS Release 17.2R1.

Description

Enable the device to ignore Extensible Authentication Protocol over LAN (EAPoL)-Start messages received from a client that has been authenticated so that the device does not trigger re-authentication. The device typically attempts to restart the authentication procedure by contacting the authentication server when it receives an EAPoL-Start message from a client—even for authenticated clients. You can configure the eapol-block statement to help prevent unnecessary downtime that can occur when the device waits for a response from the authentication server.

If you configure the device to block EAPoL-Start messages, when the device receives an EAPoL-Start message from an authenticated client, the device ignores the message and does not attempt to contact the authentication server for reauthentication. The existing authentication session that was established for the client remains open.

The EAPoL-Start messages are blocked only if the client is in the authenticated state. EAPoL-Start messages from new clients are accepted.

Default

If the eapol-block statement is not configured, the device attempts to contact the authentication server to authenticate the client when it receives an EAPoL-Start message.

Options

captive-portal Configure the device to ignore EAPoL-Start messages received from a client that has been authenticated using captive portal authentication.
mac-radius Configure the device to ignore EAPoL-Start messages received from a client that has been authenticated using MAC RADIUS authentication. The mac-radius option is also valid for clients authenticated using central Web authentication (CWA).
server-fail <seconds>Configure the device to ignore EAPoL-Start messages received from a client that has been authenticated using server fail fallback or server reject VLAN methods. Optionally, configure the time interval, in seconds, during which the device will not attempt to contact the authentication server to re-authenticate a client that has already been authenticated using server fail fallback.

Default: 120 seconds.

Range: 120 through 65,535 seconds.

Required Privilege Level

routing—To view this statement in the configuration.

routing-control—To add this statement to the configuration.