1-16
Configuring 802.1X parameters for a port
Follow these steps to configure 802.1X parameters for a port:
To do… Use the command… Remarks
Enter system view
system-view
—
Enter Ethernet interface view
interface interface-type
interface-number
—
Set the port access control
mode for the port
dot1x port-control
{ authorized-force | auto |
unauthorized-force }
Optional
auto by default
Set the port access control
method for the port
dot1x port-method
{ macbased | portbased }
Optional
macbased by default
Set the maximum number of
users for the port
dot1x max-user user-number
Optional
256 by default
Enable online user handshake
dot1x handshake
Optional
Enabled by default
Enable multicast trigger
dot1x multicast-trigger
Optional
Enabled by default
Enable periodic
re-authentication
dot1x re-authenticate
Required
Disabled by default
Specify the mandatory
authentication domain for the
port
dot1x mandatory-domain
domain-name
Optional
No mandatory authentication
domain is specified by default.
Note that:
z Enabling 802.1X on a port is mutually exclusive with adding the port to an aggregation group.
z In EAP relay authentication mode, the device encapsulates the 802.1X user information in the EAP
attributes of RADIUS packets and sends the packets to the RADIUS server for authentication. In
this case, you can configure the user-name-format command but it does not take effect. For
information about the user-name-format command, refer to AAA Commands in the Security
Volume.
z If the username of a client contains the version number or one or more blank spaces, you can
neither retrieve information nor disconnect the client by using the username. However, you can use
items such as IP address and connection index number to do so.
z Once enabled with the 802.1X multicast trigger function, a port sends multicast trigger messages to
the client periodically to initiate authentication.
z For a user-side device sending untagged traffic, the voice VLAN function and 802.1X are mutually
exclusive and cannot be configured together on the same port. For details about voice VLAN, refer
to VLAN Configuration in the Access Volume.
z After an 802.1X user passes authentication, if the authentication server assigns a re-authentication
interval for the user through the session-timeout attribute, the assigned re-authentication interval
will take effect instead of that specified on the device. The re-authentication interval assignment
varies by server type. Refer to the specific authentication server implementation for further details.
To Next Page
Loading...
Need help?
General