This is an expected behavior with “authentication mode optional” in EXOS.Observation:
- With authentication optional mode, the traffic from the client will be allowed even when it is not authenticated. i.e. authentication is not mandatory.
- If the client failed to authenticate due to some reason (either server unreachable or wrong password or some other reason), then switch will still add the MAC in fdb table and stop initiating the re-auth request to the radius server.
- The next authentication will be triggered only when fdb ages out or “clear fdb” is executed.
- If the client gets successfully authenticated with this mode, then it will continue to send the re-auth request after every policy session time-out.
- But since this customer scenario deals about failed client, session time-out does not apply.
- After aging time expires the failed entries will be deleted from netlogin however the FDB do not get cleared.
UPM script that will clear FDBs of deleted netlogin clients.
* X440G2-24t-10G.1 # show configuration "ems"
# Module ems configuration.
enable log debug-mode
create log filter upm_re_auth
configure log filter upm_re_auth add events nl.mac.DeleteClient
create log target upm re_auth
enable log target upm re_auth
configure log target upm re_auth filter upm_re_auth severity Debug-Summary only
* X440G2-24t-10G.2 # show configuration "upm"
# Module upm configuration.
create upm profile re_auth
enable cli scripting
if (!$match($EVENT.LOG_EVENT,DeleteClient)) then
clear fdb $EVENT.LOG_PARAM_1