Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

eapol-block

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 11.2 for EX Series switches.

Statement introduced in Junos OS Release 14.1X53-D30 for the QFX Series.

Support at the [edit protocols dot1x authenticator interface interface-name] hierarchy level introduced in Junos OS Releases 14.1X53-D40 and 15.1X53-D51 for EX Series switches.

Support for options mac-radius and captive-portal introduced in Junos OS Release 17.2R1.

Description

Enable the switch to ignore Extensible Authentication Protocol over LAN (EAPoL)-Start messages received from a client that has been authenticated so that the switch does not trigger re-authentication. The switch typically attempts to restart the authentication procedure by contacting the authentication server when it receives an EAPoL-Start message from a client—even for authenticated clients. You can configure the eapol-block statement to help prevent unnecessary downtime that can occur when the switch waits for a response from the authentication server.

If you configure the switch to block EAPol-Start messages, when the switch receives an EAPoL-Start message from an authenticated client, the switch ignores the message and does not attempt to contact the authentication server for reauthentication. The existing authentication session that was established for the client remains open.

The EAPoL-Start messages are blocked only if the client is in the authenticated state. EAPoL-Start messages from new clients are accepted.

Default

If the eapol-block statement is not configured, the switch attempts to contact the authentication server to authenticate the client when it receives an EAPoL-Start message.

Options

server-fail secondsConfigure the switch to ignore EAP-Start messages received from a client that has been authenticated using server fail fallback or server reject VLAN methods. Configure the time interval, in seconds, during which the switch will not attempt to contact the authentication server to re-authenticate a client that has already been authenticated using server fail fallback.

Default: 120 seconds.

Range: 120 through 65,535 seconds.

mac-radius (EX4300 and EX9200 switches only)Configure the switch to ignore EAP-Start messages received from a client that has been authenticated using MAC RADIUS authentication. The mac-radius option is also valid for clients authenticated using central Web authentication (CWA).
captive-portal (EX4300 and EX9200 switches only)Configure the switch to ignore EAP-Start messages received from a client that has been authenticated using captive portal authentication.

Required Privilege Level

routing—To view this statement in the configuration.

routing-control—To add this statement to the configuration.