184
You can configure only one 802.1X guest VSI on a port. The 802.1X guest VSIs on different ports can
be different.
On a port, the 802.1X guest VSI configuration is mutually exclusive with the 802.1X guest VLAN,
802.1X Auth-Fail VLAN, and 802.1X critical VLAN settings.
Examples
# Specify VSI
vsiuser
as the 802.1X guest VSI on Ten-GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 1/0/1
[Sysname-Ten-GigabitEthernet1/0/1] dot1x guest-vsi vsiuser
Related commands
display dot1x
reset dot1x guest-vsi
dot1x guest-vsi-delay
Use
dot1x guest-vsi-delay
to enable 802.1X guest VSI assignment delay on a port.
Use
undo dot1x guest-vsi-delay
to disable the specified 802.1X guest VSI assignment delay on a
port.
Syntax
dot1x guest-vsi-delay
{
eapol
|
new-mac
}
undo dot1x guest-vsi-delay
[
eapol
|
new-mac
]
Default
802.1X guest VSI assignment delay is disabled on a port.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
mdc-admin
Parameters
eapol
: Specifies EAPOL-triggered 802.1X guest VSI assignment delay. This keyword takes effect if
802.1X authentication is triggered by EAPOL-Start packets.
new-mac
: Specifies new MAC-triggered 802.1X guest VSI assignment delay. This keyword takes
effect if 802.1X authentication is triggered by packets from unknown MAC addresses.
Usage guidelines
This command enables the device to delay assigning an 802.1X-enabled port to the 802.1X guest
VSI when 802.1X authentication is triggered on the port.
To use this feature, the 802.1X-enabled port must perform MAC-based access control.
When 802.1X authentication is triggered on a port, the device performs the following operations:
1.
Sends a unicast EAP-Request/Identity packet to the MAC address that triggers the
authentication.
2.
Retransmits the packet if no response has been received within the username request timeout
interval set by using the
dot1x timer tx-period
command.