Operation Manual – 802.1x and System Guard
H3C S5600 Series Ethernet Switches
Chapter 1 802.1x Configuration
1-15
Note:
802.1x re-authentication will fail if a CAMS server is used and configured to perform
authentication but not accounting. This is because a CAMS server establishes a user
session after it begins to perform accounting. Therefore, to enable 802.1x
re-authentication, do not configure the
accounting none
command in the domain. This
restriction does not apply to other types of servers.
1.2 Introduction to 802.1x Configuration
802.1x provides a solution for authenticating users. To implement this solution, you
need to execute 802.1x-related commands. You also need to configure AAA schemes
on switches and specify the authentication scheme (RADIUS or local authentication
scheme).
ISP domain
configuration
AAA scheme
Local
authentication
RADIUS
scheme
802.1x
configuration
ISP domain
configuration
AAA scheme
Local
authentication
RADIUS
scheme
802.1x
configuration
Figure 1-11
802.1x configuration
z
802.1x users use domain names to associate with the ISP domains configured on
switches
z
Configure the AAA scheme (a local authentication scheme or a RADIUS scheme)
to be adopted in the ISP domain.
z
If you specify to use a local authentication scheme, you need to configure the user
names and passwords manually on the switch. Users can pass the authentication
through 802.1x client if they provide user names and passwords that match those
configured on the switch.
z
If you specify to adopt the RADIUS scheme, the supplicant systems are
authenticated by a remote RADIUS server. In this case, you need to configure
user names and passwords on the RADIUS server and perform RADIUS
client-related configuration on the switches.
z
You can also specify to adopt the RADIUS authentication scheme, with a local
authentication scheme as a backup. In this case, the local authentication scheme
is adopted when the RADIUS server fails.
Refer to the
AAA Operation
for detailed information about AAA scheme configuration.