[IAG] Authentication policy does not match – Layer 3 switch MAC is not excluded in cross-Layer 3 configuration
Problem Description
The IAG configured the authentication policy to use the MAC address as the username but failed.
Process——
- Intranet three-layer environment, the configuration across three layers is successful
- The first authentication policy is to configure that no authentication is required and the MAC address is used as the user name. The authentication scope is all MAC addresses of the configured user.
- The default authentication policy is that no authentication is required and IP is used as the username
548945e7b5e0b5eb1b.png (25.18 KB) - All online users are displayed with their IP addresses as their usernames, and the same applies when they log out and log back online.
- No binding relationship is made locally
- Check the cross-layer 3 configuration and find that the MAC of the layer 3 switch is not excluded in the cross-layer 3 configuration.
412145e7b5e49850c2.png (44.16 KB) - After adding the exclusion of the Layer 3 switch, the user matches the first authentication policy and goes online with the MAC address
Root cause
The cross-layer 3 configuration does not exclude the MAC address of the layer 3 switch
solution
Cross-layer configuration excludes the MAC address solution of the layer 3 switch
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=7435&isOpen=true