1-9
z
Handshake timer (handshake-period): After a client passes authentication, the device sends to the
client handshake requests at this interval to check whether the client is online. If the device
receives no response after sending the allowed maximum number of handshake requests, it
considers that the client is offline.
z
Quiet timer (quiet-period): When a client fails the authentication, the device refuses further
authentication requests from the client in this period of time.
z
Periodic re-authentication timer (
reauth-period
): If periodic re-authentication is enabled on a port,
the device re-authenticates online users on the port at the interval specified by this timer.
Extensions to 802.1X
The devices extend and optimize the mechanism that the 802.1X protocol specifies by:
z
Allowing multiple users to access network services through the same physical port.
z
Supporting two authentication methods:
portbased
and
macbased
. With the
portbased
method,
after the first user of a port passes authentication, all other users of the port can access the network
without authentication, and when the first user goes offline, all other users get offline at the same
time. With the
macbased
method, each user of a port must be authenticated separately, and when
an authenticated user goes offline, no other users are affected.
After an 802.1X client passes authentication, the authentication server sends authorization information
to the device. If the authorization information contains VLAN authorization information, the device adds
the port connecting the client to the assigned VLAN. This neither changes nor affects the configurations
of the port. The only result is that the assigned VLAN takes precedence over the manually configured
one, that is, the assigned VLAN takes effect. After the client goes offline, the configured one takes
effect.
Features Working Together with 802.1X
VLAN assignment
After an 802.1X user passes the authentication, the server will send an authorization message to the
device. If the server is enabled with the VLAN assignment function, the assigned VLAN information will
be included in the message. The device, depending on the link type of the port used to log in, adds the
port to the assigned VLAN according to the following rules:
z
If the port link type is Access, the port leaves its initial VLAN, that is, the VLAN configured for it and
joins the assigned VLAN.
z
If the port link type is Trunk, the assigned VLAN is allowed to pass the current trunk port. The
default VLAN ID of the port is that of the assigned VLAN.
z
If the port link type is Hybrid, the assigned VLAN is allowed to pass the current port without carrying
the tag. The default VLAN ID of the port is that of the assigned VLAN. Note that if the Hybrid port is
assigned a MAC-based VLAN, the device will dynamically create a MAC-based VLAN according to
the VLAN assigned by the authentication server, and remain the default VLAN ID of the port
unchanged.