726 CHAPTER 50: 802.1X CONFIGURATION
device. You can change the access rights of users by modifying authorization ACL
settings on the RADIUS server or changing the corresponding ACL rules on the
device.
Configuring 802.1x
Configuration
Prerequisites
802.1x provides a user identity authentication scheme. However, 802.1x cannot
implement the authentication scheme solely by itself. RADIUS or local
authentication must be configured to work with 802.1x.
■ Configure the ISP domain to which the 802.1x user belongs and the AAA
scheme to be used (that is, local authentication or RADIUS).
■ For remote RADIUS authentication, the username and password information
must be configured on the RADIUS server.
■ For local authentication, the username and password information must be
configured on the authenticator and the service type must be set to
lan-access.
For detailed configuration of the RADIUS client, refer to “Configuring RADIUS” on
page 765.
Configuring 802.1x
Globally
Follow these steps to configure 802.1x globally:
To do… Use the command… Remarks
Enter system view system-view -
Enable 802.1x globally dot1x Required
Disabled by default
Set the authentication method dot1x
authentication-method
{ chap | eap | pap }
Optional
CHAP by default
Set the port
access control
parameters
Set the port
access control
mode for
specified or all
ports
dot1x port-control
{ authorized-force | auto |
unauthorized-force }
[ interface interface-list ]
Optional
auto by default
Set the port
access control
method for
specified or all
ports
dot1x port-method
{ macbased | portbased }
[ interface interface-list ]
Optional
macbased by default
Set the
maximum
number of
users for
specified or all
ports
dot1x max-user
user-number [ interface
interface-list ]
Optional
By default, the maximum
number of concurrent users
accessing a port is 256.
Set the maximum number of
attempts to send an
authentication request to a
supplicant
dot1x retry max-retry-value Optional
2 by default
To Next Page
Loading...
