2-2
Configuring Quick EAD Deployment
Configuration Prerequisites
z Enable 802.1x on the switch.
z Set the access mode to auto for 802.1x-enabled ports.
Configuration Procedure
Configuring a free IP range
A free IP range is an IP range that users can access before passing 802.1x authentication.
Table 2-1 Configure a free IP range
To do... Use the command... Remarks
Enter system view
system-view
—
Configure the URL for HTTP
redirection
dot1x url url-string
Required
Configure a free IP range
dot1x free-ip ip-address
{ mask-address | mask-length }
Required
By default, no free IP range is
configured.
z You must configure the URL for HTTP redirection before configuring a free IP range. A URL must
start with http:// and the segment where the URL resides must be in the free IP range. Otherwise,
the redirection function cannot take effect.
z You must disable the DHCP-triggered authentication function of 802.1x before configuring a free IP
range.
z With dot1x enabled but quick EAD deployment disabled, users cannot access the DHCP server if
they fail 802.1x authentication. With quick EAD deployment enabled, users can obtain IP
addresses dynamically before passing authentication if the IP address of the DHCP server is in the
free IP range.
z The quick EAD deployment function applies to only ports with the access control mode set to auto
through the dot1x port-control command.
z At present, 802.1x is the only access approach that supports quick EAD deployment.
z Currently, the quick EAD deployment function does not support port security. The configured free
IP range cannot take effect if you enable port security.
Setting the ACL timeout period
The quick EAD deployment function depends on ACLs in restricting access of users failing
authentication. Each online user that has not passed authentication occupies a certain amount of ACL
resources. After a user passes authentication, the occupied ACL resources will be released. When a
large number of users log in but cannot pass authentication, the switch may run out of ACL resources,
preventing other users from logging in. A timer called ACL timer is designed to solve this problem.
To Next Page
Loading...
Need help?
General