190 
•  802.1X terminals use IP addresses in 192.168.1.0/24 before authentication, and request IP 
addresses in 3.3.3.0/24 through DHCP after passing authentication. If the terminal fails 
authentication, it uses an IP address in 2.2.2.0/24. 
•  After passing authentication, the printer obtains the IP address 3.3.3.111/24 that is bound with its 
MAC address through DHCP. 
•  Use the remote RADIUS server to perform authentication, authorization, and accounting and 
configure the switch to remove the ISP domain names from usernames sent to the RADIUS server. 
•  The local portal authentication server on the switch uses listening IP address 4.4.4.4. The switch 
sends a default authentication page to the web user and forwards authentication data by using 
HTTPS. 
•  Configure VLAN 3 as the authorized VLAN on the RADIUS server. Users passing authentication are 
added to this VLAN. 
•  Configure VLAN 2 as the Auth-Fail VLAN on the access device. Users failing authentication are 
added to this VLAN, and are allowed to access only the Update server. 
Figure 72 Network diagram 
 
 
Configuration procedure 
Make sure that the terminals, the servers, and the switch can reach each other. 
When using an external DHCP server, make sure that the terminals can get IP addresses from the server 
before and after authentication. 
1.  Configure the RADIUS server, and make sure the authentication, authorization, and accounting 
functions work normally. In this example, configure on the RADIUS server an 802.1X user (with 
username userdot), a portal user (with username userpt), a MAC authentication user (with a 
username and password both being the MAC address of the printer 001588f80dd7), and an 
authorized VLAN (VLAN 3). 
2.  Configure PKI domain pkidm and acquire the local and CA certificates. For more information, see 
"Configuring PKI." 
3.  Complet
e the editing of a self-defined default authentication page file, compress the file to a zip 
file named defaultfile and save the zip file at the root directory. 
4.  Configure DHCP: