Configuration Guide Configuring 802.1X
If the user connected to a controlled port does not support 802.1X, it will not respond to the NAS requesting the user name of
the user. That means, the user remains unauthorized and cannot access network resources.
In the case of 802.1X-enabled user and 802.1X-disabled NAS, if the user does not receive any responses after sending a
specified number of EAPOL-Start packets, it regards the connected port uncontrolled and directly accesses network
resources.
On 802.1X-enabled devices, all ports are uncontrolled by default. We can configure a port as controlled so that all users on
this port have to be authenticated.
If a user passes authentication (that is, the NAS receives a success packet from the RADIUS server), the user becomes
authorized and can freely access network resources. If the user fails in authentication, it remains Unauthenticated and
re-initiates authentication. If the communication between the NAS and the RADIUS server fails, the user remains
unauthorized and cannot access network resources.
When a user sends an EAPOL-LOGOFF packet, the user's status changes from authorized to unauthorized.
When the NAS restarts, all users on it become unauthorized.
If you want to forcibly make a client free from authentication, it is recommended to add a static MAC address.
 Deploying the Authentication Server
802.1X authentication uses the RADIUS server as the authentication server. Therefore, when 802.1X secure admission is
deployed, the RADIUS server also needs to be deployed. Common RADIUS servers include Microsoft IAS/NPS, Cisco ACS,
and RG-SAM/SMP. For details about the deployment procedure, see related software description.
 Configuring Authentication Parameters
To use 802.1X authentication, enable 802.1X authentication on the access port and configure AAA authentication method list
and RADIUS server parameters. To ensure the accessibility between the NAS and RADIUS server, the 802.1X server
timeout should be longer than the RADIUS server timeout.
 Supplicant
A user should start Ruijie Supplicant to enter the user name and initiate authentication. If the operating system brings an own
authentication client and the network is available, a dialog box will be displayed, asking the user to enter the user name.
Different clients may have different implementation processes and Graphical User Interfaces (GUIs). It is recommended to
use Ruijie Supplicant as the authentication client. If other software is used, see related software description.
 Offline
If a user does not want to access the network, it can choose to go offline by multiple approaches, such as powering off the
device, connecting the port to the network, and offline function provided by some supplicants.
4.3.2 Authorization
After a user passes authentication, the NAS restricts the accessible network resources of the user in multiple approaches,
such as binding the IP address and the MAC address, and specifying the maximum online time or period, accessible VLANs,
and bandwidth limit.
To Next Page
Loading...
Need help?
General
