311
• MAC-based access control—Each user is separately authenticated on a port. When a user logs off,
no other online users are affected.
802.1X timers
This section describes the timers used on an 802.1X device to guarantee that the client, the device, and
the RADIUS server can interact with each other correctly.
• Username request timeout timer—Starts when the device sends an EAP-Request/Identity packet to
a client in response to an authentication request. If the device does not receive a response before
this timer expires, it retransmits the request. The timer also sets the interval for the network device to
send multicast EAP-Request/Identity packets to detect clients who cannot actively request
authentication.
• Client timeout timer—Starts when the access device sends an EAP-Request/MD5 Challenge packet
to a client. If the client does not receive a response when this timer expires, the access device
retransmits the request to the client.
• Server timeout timer—Starts when the access device sends a RADIUS Access-Request packet to the
authentication server. If the server does not receive a response when this timer expires, the access
device retransmits the request to the server.
• Handshake timer—Sets the interval for the access device to send client handshake requests to
check the online status of a client that has passed authentication. If the device does not receive a
response after sending the maximum number of handshake requests, it considers that the client has
logged off. For information about how to enable the online user handshake function, see
"Configuring 802.1X on a port."
• Q
uiet timer—Starts when the access device sends a RADIUS Access-Request packet to the
authentication server. If the server does not receive a response when this timer expires, the access
device retransmits the request to the server.
• Periodic online user re-authentication timer—Sets the interval for the network device to periodically
re-authenticate online 802.1X users. For information about how to enable periodic online user
re-authentication on a port, see "Configuring 802.1X on a port."
Configuration prerequisites
• Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.
• If RADIUS authentication is used, create user accounts on the RADIUS server.
• If local authentication is used, create local user accounts on the access device and specify the LAN
access service for the user accounts.
Configuration guidelines
When you configure 802.1X, follow these guidelines:
• Make sure you enable 802.1X both globally and on the ports for 802.1X configuration to take effect
on ports.
• 802.1X is mutually exclusive with link aggregation configuration on a port.
• If EAP relay is used, the Username Format parameter on the RADIUS Setup tab does not take effect.
The access device sends the authentication data from the client to the server without any
modification.
• If the PVID of a port is a voice VLAN, the 802.1X function cannot take effect on the port.
To Next Page
Loading...
Need help?
General