Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1
802.1x Configuration
Huawei Technologies Proprietary
1-7
DIUS server must support
CHAP authenticat authentication (switch send authentication
information to RADIUS server in the form of EAP packets directly and RADIUS server
m
F d EAP-MD5 methods are available on the
s
z : The client and RADIUS server check in EAP-TLS approach mutually
the security certificate authority of the other’s, to guarantee the validity of the
certificates and prevent data from being illegally used.
provide integrity protection,
sh identity
ation method for 802.1x user
must support PAP authentication), CHAP authentication (RA
ion), EAP relay
ust support EAP authentication).
or EAP authentication, PEAP, EAP-TLS an
witch:
EAP-TLS
z PEAP: As a kind of EAP protocol, protected EAP (PEAP) first establishes an
encrypted transport layer security (TLS) channel to
and then initiates a new type of EAP negotiation, to accompli
authentication to the client.
If you want to enable PEAP, EAP-TLS or EAP-MD5 authentication method on an
Ethernet switch, you only need to use the command dot1x authentication-method
eap to enable EAP authentication.
Perform the following configurations in system view.
Table 1-7 Configuring the authentic
Operation Command
Configure authentication method for
802.1x
{ |
user
dot1x authentication-method chap
pap | eap }
R store the default authentication
thod for 802.1x user
undo dot1x authentication-method
e
me
By d
1.2.8 Enablin N
enticated for maximum times, the switch adds this
s performed when the user
of the Guest VLAN visits the resources within this Guest VLAN. However, if the user
, the requirements of
allowing unauth ers to access some resources ch as, the user
accesses some re alling 802.1x client, or the user upgrades 802.1x
c
P view or Ethernet port view.
efault, CHAP authentication is used for 802.1x user authentication.
g/Disabling Guest VLA
After the Guest VLAN function is enabled, the switch broadcasts active authentication
packets to all ports on which 802.1x are enabled. If there is still some ports do not return
response packets after being re-auth
ports into Guest VLAN. After that, no 802.1x authentication i
visits the outer resources, authentication is still needed. In this way
enticated us
sources without inst
are met, su
lient without authentication, and so on.
erform the following configuration in system
To Next Page
Loading...
