1-13
command. If the device does not receive any response from an online user after the device has sent the
handshake packet for the maximum number of times, which is set by the
dot1x retry
command, the
device will set the user state to offline.
The online user handshake security function helps prevent online users from using illegal client
software to exchange handshake messages with the device. Using illegal client software for handshake
message exchange may result in escape from some security inspection functions, such as proxy
detection and dual network interface card (NIC) detection. With the online handshake security function
enabled, the device checks the authentication information carried in the handshake messages of a
client. If the client fails the authentication, the device forces the user offline.
Mandatory authentication domain for a specified port
The mandatory authentication domain function provides a security control mechanism for 802.1X
access. With a mandatory authentication domain specified for a port, the system uses the mandatory
authentication domain for authentication, authorization, and accounting of all 802.1X users on the port.
In this way, users accessing the port cannot use any account in other domains.
Meanwhile, for EAP relay mode 802.1X authentication that uses certificates, the certificate of a user
determines the authentication domain of the user. However, you can specify different mandatory
authentication domains for different ports even if the user certificates are from the same certificate
authority (that is, the user domain names are the same). This allows you to deploy 802.1X access
policies flexibly.
Configuring 802.1X
Configuration Prerequisites
802.1X provides a user identity authentication scheme. However, 802.1X cannot implement the
authentication scheme solely by itself. RADIUS or local authentication must be configured to work with
802.1X.
z
Configure the ISP domain to which the 802.1X user belongs and the AAA scheme to be used (that
is, local authentication or RADIUS).
z
For remote RADIUS authentication, the username and password information must be configured
on the RADIUS server.
z
For local authentication, the username and password information must be configured on the device
and the service type must be set to
lan-access
.
For detailed configuration of the RADIUS client, refer to
AAA Configuration
in the
Security Volume
.
Configuring 802.1X Globally
Follow these steps to configure 802.1X globally:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable 802.1X globally
dot1x
Required
Disabled by default
Set the authentication method
dot1x
authentication-method
{
chap
|
eap
|
pap
}
Optional
CHAP by default
Содержание S5500-SI Series
Страница 161: ...3 10 GigabitEthernet1 0 1 2 MANUAL...
Страница 220: ...1 7 Clearing ARP entries from the ARP table may cause communication failures...
Страница 250: ...3 3 SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address dhcp alloc...
Страница 310: ...i Table of Contents 1 Dual Stack Configuration 1 1 Dual Stack Overview 1 1 Configuring Dual Stack 1 1...
Страница 331: ...1 7 1 1 ms 1 ms 1 ms 1 1 6 1 2 1 ms 1 ms 1 ms 1 1 4 1 3 1 ms 1 ms 1 ms 1 1 2 2 Trace complete...
Страница 493: ...2 8...
Страница 1111: ...1 10 Installing patches Installation completed and patches will continue to run after reboot...