Users Guide
vlan 61
aaa-profile aaa_dot1x
sid-profile WLAN-01
(host)(config) #ap-group first-floor
virtual-ap WLAN-01_first-floor
(host)(config) #ap-group second-floor
virtual-ap WLAN-01_second-floor
Configuring Mixed Authentication Modes
Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and 802.1x
authentication. When MAC authentication fails, enable the l2-auth-fail-through command to perform
802.1x authentication.
By default the l2-auth-fail-through command is disabled.
Authentication 1 2 3 4 5 6
MAC
authentication
Success Success Success Fail Fail Fail
802.1x
authentication
Success Fail — Success Fail —
Association dynamic-
wep
No
Associatio
n
static-
wep
dynamic-
wep
No
Associatio
n
static-
wep
Role Assignment 802.1x — MAC 802.1x — logon
Table 71: Mixed Authentication Modes
Table 71 describes the different authentication possibilities
In the CLI
(host)(config) #aaa profile test
l2-auth-fail-through
Performing Advanced Configuration Options for 802.1X
This section describes advanced configuration options for 802.1X authentication.
Configuring Reauthentication with Unicast Key Rotation
When enabled, unicast and multicast keys are updated after each reauthorization. It is a best practice to
configure the time intervals for reauthentication, multicast key rotation, and unicast key rotation to be at least
15 minutes. Ensure that these intervals are mutually prime, and the factor of the unicast key rotation interval
and the multicast key rotation interval is less than the reauthentication interval.
Unicast key rotation depends upon both the AP/controller and wireless client behavior. It is known that some wireless
NICs have issues with unicast key rotation.
Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 354