100
If an 802.1X username string contains multiple configured delimiters, the rightmost delimiter is the
domain name delimiter. For example, if you configure the backslash (\), dot (.), and forward slash (/)
as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash
(\). The username is @abc and the domain name is 121.123/22.
If a username string contains none of the delimiters, the access device authenticates the user in the
mandatory or default ISP domain.
To specify a set of domain name delimiters:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Specify a set of domain
name delimiters for 802.1X
users.
dot1x domain-delimiter
string
By default, only the at sign (@)
delimiter is supported.
NOTE:
If you configure the access device to send usernames with domain names to the RADIUS server,
make sure the domain delimiter can be recognized by the RADIUS server. For username format
configuration, see the user-name-format command in Security Command Reference.
Enabling 802.1X user IP freezing
This feature works with the IP source guard feature. 802.1X-based IP source guard requires that
802.1X clients support sending user IP addresses to the access device. The device uses information
such as user MAC addresses and IP addresses obtained through 802.1X to generate IPSG bindings
to filter out IPv4 packets from unauthenticated 802.1X users. For information about IP source guard,
see "Configuring IP source guard."
This feature prevent
s any authenticated 802.1X users on a port from changing their IP addresses.
After you enable this feature, the port does not update the IP addresses in dynamic IPSG bindings
for 802.1X users. If an 802.1X user uses an IP address different from the IP address in its IPSG
binding entry, the port denies the user access.
To enable 802.1X user IP freezing:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter Layer 2 Ethernet
interface view.
interface
interface-type
interface-number
N/A
3. Enable 802.1X user IP
freezing.
dot1x user-ip freeze
By default, 802.1X user IP freezing is
disabled.
Sending 802.1X protocol packets out of a port
without VLAN tags
This feature enables the device to send 802.1X protocol packets out of an 802.1X-enabled port
without VLAN tags. It prevents terminal devices connected to the port from failing 802.1X
authentication because they cannot identify VLAN tags.
This feature is supported only on Ethernet ports whose link type is hybrid or trunk.
To enable the device to send 802.1X protocol packets out of a port without VLAN tags:
To Next Page
Loading...
Need help?
General