97
Enabling the periodic online user
re-authentication function
Periodic online user re-authentication tracks the connection status of online users and updates the
authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS.
The re-authentication interval is user configurable.
To enable the periodic online user re-authentication function:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Set the periodic
re-authentication timer.
dot1x timer reauth-period
reauth-period-value
Optional.
The default setting is 3600
seconds.
3. Enter Ethernet interface
view.
interface
interface-type
interface-number
N/A
4. Enable periodic online user
re-authentication.
dot1x re-authenticate
By default, the function is
disabled.
The periodic online user re-authentication timer can also be set by the authentication server in the
session-timeout attribute. The server-assigned timer overrides the timer setting on the access device,
and enables periodic online user re-authentication, even if the function is not configured. Support for
the server assignment of re-authentication timer and the re-authentication timer configuration on the
server vary with servers.
The VLAN assignment status must be consistent before and after re-authentication. If the
authentication server has assigned a VLAN before re-authentication, it must also assign a VLAN at
re-authentication. If the authentication server has assigned no VLAN before re-authentication, it
must not assign one at re-authentication. Violation of either rule can cause the user to be logged off.
The VLANs assigned to an online user before and after re-authentication can be the same or
different.
If no critical VLAN is configured, RADIUS server unreachable can cause an online user being
re-authenticated to be logged off. If a critical VLAN is configured, the user remains online and in the
original VLAN.
Configuring an 802.1X guest VLAN
Configuration guidelines
Follow these guidelines when you configure an 802.1X guest VLAN:
• 802.1X guest VLAN is not supported on a port that performs MAC-based access control.
• You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different
ports can be different.
• Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port, so
the port can correctly process incoming VLAN tagged traffic.
• You cannot specify a VLAN as both a super VLAN and an 802.1X guest VLAN. For more
information about super VLAN, see HPE FlexNetwork MSR Router Series Comware 5 Layer
2—LAN Switching Configuration Guide.
To Next Page
Loading...
Need help?
General
