Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

How to Retain the Authentication Session Using IP-MAC Bindings

 
Summary

You can prevent the authentication session for an end device from being terminated when the MAC address for that device ages out.

Retaining the Authentication Session Based on IP-MAC Address Bindings

MAC RADIUS authentication is often used to permit hosts that are not enabled for 802.1X authentication to access the LAN. End devices such as printers are not very active on the network. If the MAC address associated with an end device ages out due to inactivity, the MAC address is cleared from the Ethernet switching table, and the authentication session ends. This means that other devices will not be able to reach the end device when necessary.

If the MAC address that ages out is associated with an IP address in the DHCP, DHCPv6, or SLAAC snooping table, that MAC-IP address binding will be cleared from the table. This can result in dropped traffic when the DHCP client tries to renew its lease.

You can configure the switching device to check for an IP-MAC address binding in the DHCP, DHCPv6, or SLAAC snooping table before terminating the authentication session when the MAC address ages out. If the MAC address for the end device is bound to an IP address, then it will be retained in the Ethernet switching table, and the authentication session will remain active.

This feature can be configured globally for all authenticated sessions using the CLI, or on a per-session basis using RADIUS attributes.

Benefits

This feature provides the following benefits:

  • Ensures that an end device is reachable by other devices on the network even if the MAC address ages out.

  • Prevents traffic from dropping when the end device tries to renew its DHCP lease.

CLI Configuration

Before you can configure this feature:

  • DHCP snooping, DHCPv6 snooping, or SLAAC snooping must be enabled on the device.

  • The no-mac-table-binding CLI statement must be configured. This disassociates the authentication session table from the Ethernet switching table, so that when a MAC address ages out, the authentication session will be extended until the next reauthentication.

    [edit]

    user@switch# set protocols dot1x authenticator no-mac-table-binding;


To configure this feature globally for all authenticated sessions:

  • Configure the switching device to check for an IP-MAC address binding in the DHCP, DHCPv6, or SLAAC snooping table before terminating the authentication session when the MAC address ages out using the ip-mac-session-binding CLI statement:
    [edit]

    user@switch# set protocols dot1x authenticator ip-mac-session-binding;
Note

You cannot commit the ip-mac-session-binding configuration unless the no-mac-table-binding is also configured.

RADIUS Server Attributes

You can configure this feature for a specific authentication session using RADIUS server attributes. RADIUS server attributes are clear-text fields encapsulated in Access-Accept messages sent from the authentication server to the switching device when a supplicant connected to the switch is successfully authenticated.

To retain the authentication session based on IP-MAC address bindings, configure both of the following attribute-value pairs on the RADIUS server:

  • Juniper-AV-Pair = “IP-Mac-Session-Binding”

  • Juniper-AV-Pair = “No-Mac-Binding-Reauth”

The Juniper-AV-Pair attribute is a Juniper Networks vendor-specific attribute (VSA). Verify that the Juniper dictionary is loaded on the RADIUS server and includes the Juniper-AV-Pair VSA (ID# 52).

If you need to add the attribute to the dictionary, locate the dictionary file (juniper.dct) on the RADIUS server and add the following text to the file:

Note

For specific information about configuring your RADIUS server, consult the AAA documentation included with your server.

Verification

Verify the configuration by issuing the operational mode command show dot1x interface interface-name detail and confirm that the Ip Mac Session Binding and No Mac Session Binding output fields indicate that the feature is enabled.

user@switch> show dot1x interface ge-0/0/16.0 detail

Clients authenticated with MAC RADIUS should remain authenticated, and MAC address entries in the Ethernet switching table should also be retained after expiration of the MAC timer.