83
•
Specify the switch to try up to five times at an interval of 5 seconds in transmitting a packet to
the RADIUS server until it receives a response from the server, and to send real time
accounting packets to the accounting server every 15 minutes.
•
Specify the switch to remove the domain name from the username before passing the
username to the RADIUS server.
•
Set the username of the 802.1X user as
localuser
and the password as
localpass
and
specify to use clear text mode. Enable the idle cut function to log the user off whenever the
user remains idle for over 20 minutes.
Figure 23
Network diagram for 802.1X configuration
Internet
Device
Authenticator
Host
1.1.1.2/24
GE3/0/1
Vlan-int2
1.1.1.1/24
Authentication servers
(RADIUS server cluster)
10.1.1.1/10.1.1.2
Supplicant
Configuration procedure
The following configuration procedure covers most AAA/RADIUS configuration commands for the switch,
while configuration on the 802.1X client and RADIUS server are omitted. For information about
AAA/RADIUS configuration commands, see
AAA
in the
Security Command Reference
.
Configure the IP addresses for each interface. (Omitted)
Add local access user
localuser
, enable the idle cut function, and set the idle cut interval.
<Device> system-view
[Device] local-user localuser
[Device-luser-localuser] service-type lan-access
[Device-luser-localuser] password simple localpass
[Device-luser-localuser] authorization-attribute idle-cut 20
[Device-luser-localuser] quit
Create RADIUS scheme
radius1
and enter its view.
[Device] radius scheme radius1
Configure the IP addresses of the primary authentication and accounting RADIUS servers.
[Device-radius-radius1] primary authentication 10.1.1.1
[Device-radius-radius1] primary accounting 10.1.1.1
Configure the IP addresses of the secondary authentication and accounting RADIUS servers.
[Device-radius-radius1] secondary authentication 10.1.1.2
