259
802.1X timers
This section describes the timers used on an 802.1X device to guarantee that the client, the device,
and the RADIUS server can interact with each other correctly.
•
Username request timeout timer
—Starts when the device sends an EAP-Request/Identity
packet to a client in response to an authentication request. If the device receives no response
before this timer expires, it retransmits the request. The timer also sets the interval at which the
network device sends multicast EAP-Request/Identity packets to detect clients that cannot
actively request authentication.
•
Client
timeout
timer
—Starts when the access device sends an EAP-Request/MD5 Challenge
packet to a client. If no response is received when this timer expires, the access device
retransmits the request to the client.
•
Server timeout timer
—Starts when the access device sends a RADIUS Access-Request
packet to the authentication server. If no response is received when this timer expires, the
access device retransmits the request to the server.
•
Handshake
timer
—Sets the interval at which the access device sends client handshake
requests to check the online status of a client that has passed authentication. If the device
receives no response after sending the maximum number of handshake requests, it considers
that the client has logged off. For information about how to enable the online user handshake
function, see "
•
Quiet
timer
—Starts when the access device sends a RADIUS Access-Request packet to the
authentication server. If no response is received when this timer expires, the access device
retransmits the request to the server.
•
Periodic online user re-authentication timer
—Sets the interval at which the network device
periodically re-authenticates online 802.1X users. For information about how to enable periodic
online user re-authentication on a port, see "
."
Using 802.1X authentication with other features
VLAN assignment
You can configure the authentication server to assign a VLAN for an 802.1X user that has passed
authentication. The way that the network access device handles VLANs on an 802.1X-enabled port
differs by 802.1X access control mode.
Access control
VLAN manipulation
Port-based
Assigns the VLAN to the port as the port VLAN (PVID). The authenticated 802.1X
user and all subsequent 802.1X users can access the VLAN without
authentication.
When the user logs off, the previous PVID restores, and all other online users are
logged off.
MAC-based
•
If the port is a hybrid port with MAC-based VLAN enabled, the device maps
the MAC address of each user to the VLAN assigned by the authentication
server. The PVID of the port does not change. When a user logs off, the
MAC-to-VLAN mapping for the user is removed.
•
If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, the
device assigns the first authenticated user's VLAN to the port as the PVID. If
a different VLAN is assigned to a subsequent user, the user cannot pass the
authentication. To avoid the authentication failure of subsequent users, be
sure to assign the same VLAN to all 802.1X users on these ports.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member.
After the assignment, do not reconfigure the port as a tagged member in the VLAN.
Summary of Contents for FlexNetwork NJ5000
Page 12: ...x Index 440 ...
Page 39: ...27 Figure 16 Configuration complete ...
Page 67: ...55 Figure 47 Displaying the speed settings of ports ...
Page 78: ...66 Figure 59 Loopback test result ...
Page 158: ...146 Figure 156 Creating a static MAC address entry ...
Page 183: ...171 Figure 171 Configuring MSTP globally on Switch D ...
Page 243: ...231 Figure 237 IPv6 active route table ...