Reset Search



EAPoL MAC-Authentication does not work, if a client has LLDP disabled

« Go Back


TitleEAPoL MAC-Authentication does not work, if a client has LLDP disabled
Non-EAP (NEAP) clients fail to authenticate, unless they have LLDP enabled.
ERS 3500
ERS 3600
ERS 4800
ERS 4900/5900
All supported software versions
Working as designed. This issue is due to wrong configuration, which results in client MAC address not being learned - when a port is not configured to be a member of the PVID VLAN:

4850GTS#show vlan interface verbose 3
     Filter Filter
     Untag. Unreg.
Port Frames Frames PVID VLAN VLAN Name        PRI Tagging       Port Name
---- ------ ------ ---- ---- ---------------- --- ------------- --------------
3    No     Yes    30   10   VLAN #10         0   UntagPvidOnly      Port 3                         
---- ------ ------ ---- ---- ---------------- --- ------------- --------------

In the above example, port 3 is not a member of VLAN 30 (PVID=30 is a leftover from previous configuration, where the port belonged to VLAN 30). VLAN 10 is the only VLAN the port is a member of. Port 3 has "filter-unregistered-frames" enabled (default and recommended setting), which will result in all frames not tagged with VID=10 getting dropped, and MAC address not learned.
LLDPDUs, however, are not caught by this filter. Just like Spanning Tree Protocol BPDUs, they are allowed on the port regardless of  VLAN membership configured on a port. In case LLDPDUs are sent by the client, the client MAC address will be learned, allowing for a successful NEAP client authentication.
Configure the setup in one of the following ways:

1. Remove all VLANs from the port (client MAC address will still be learned thanks to “NEAP not member of a VLAN” feature).
2. Add an initial/staging VLAN to the port, which would equal the PVID.
3. Configure a Guest-VLAN.
Additional notes



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255