100
Specifying supported domain name delimiters
By default, the access device supports the at sign (@) as the delimiter. You can also configure the
access device to accommodate 802.1X users that use other domain name delimiters.
The configurable delimiters include the at sign (@), back slash (\), and forward slash (/).
If an 802.1X username string contains multiple configured delimiters, the leftmost delimiter is the
domain name delimiter. For example, if you configure @, /, and \ as delimiters, the domain name
delimiter for the username string 123/22\@abc is the forward slash (/).
If a username string contains none of the delimiters, the access device authenticates the user in the
mandatory or default ISP domain. The access selects a domain delimiter from the delimiter set in this
order: @, /, and \.
To specify a set of domain name delimiters:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Specify a set of domain
name delimiters for 802.1X
users.
dot1x domain-delimiter
string
By default, only the at sign (@)
delimiter is supported.
NOTE:
If you configure the access device to include the domain name in the username sent to the RADIUS
server, make sure the domain delimiter in the username can be recognized by the RADIUS server.
For username format configuration, see the user-name-format command in Security Command
Reference.
Configuring 802.1X MAC address binding
This feature can automatically bind MAC addresses of authenticated 802.1X users to the users'
access port and generate 802.1X MAC address binding entries. You can also use the dot1x
binding-mac mac-address command to manually configure 802.1X MAC address binding entries.
802.1X MAC address binding entries never age out. They can survive a user logoff or a device
reboot. To delete an entry, you must use the undo dot1x binding-mac mac-address command.
After the number of 802.1X MAC address binding entries reaches the upper limit of concurrent
802.1X users, the following restrictions exist:
• Users not in the binding entries will fail authentication even after users in the binding entries go
offline.
• New 802.1X MAC address binding entries are not allowed.
When you configure the 802.1X MAC address binding feature on a port, follow these restrictions and
guidelines:
• The 802.1X MAC address binding feature takes effect only when the port performs MAC-based
access control.
• Manually configured MAC address binding entries take effect only when the 802.1X MAC
address binding feature takes effect.
• An 802.1X MAC address binding entry cannot be deleted when the user in the entry is online.
To configure the 802.1X MAC address binding feature on a port:
To Next Page
Loading...
Need help?
General
