86
[Device-isp-aabbcc.net] access-limit enable 30
# Configure the idle cut function to log off any online domain user that has been idle for 20 minutes.
[Device-isp-aabbcc.net] idle-cut enable 20
[Device-isp-aabbcc.net] quit
# Specify
aabbcc.net
as the default ISP domain. If a user does not provide any ISP domain name, it is
assigned to the default ISP domain.
[Device] domain default enable aabbcc.net
6.
Configure 802.1X.
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on port GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x
[Device-GigabitEthernet1/0/1] quit
# Enable MAC-based access control on the port. (Optional. MAC-based access control is the default
setting.)
[Device] dot1x port-method macbased interface gigabitethernet 1/0/1
Verification
Use the
display dot1x interface gigabitethernet 1/0/1
command to verify the 802.1X configuration. After
an 802.1X user passes RADIUS authentication, you can use the
display connection
command to view the
user connection information. If the user fails RADIUS authentication, local authentication is performed.
802.1X with guest VLAN and VLAN assignment configuration
example
Network requirements
As shown in
A host is connected to port GigabitEthernet 1/0/2 of the device and must pass 802.1X
authentication to access the Internet. GigabitEthernet 1/0/2 is in VLAN 1.
GigabitEthernet 1/0/2 implements port-based access control.
GigabitEthernet 1/0/3 is in VLAN 5 and is for accessing the Internet.
The authentication server runs RADIUS and is in VLAN 2.
The update server in VLAN 10 is for client software download and upgrade.
If no user passes 802.1X authentication on GigabitEthernet 1/0/2 within a period of time (90
seconds by default), the device adds GigabitEthernet 1/0/2 to its guest VLAN, VLAN 10. The host
and the update server are both in VLAN 10 and the host can access the update server and
download the 802.1X client software.
After the host passes 802.1X authentication, the host is assigned to VLAN 5 where GigabitEthernet
1/0/3 is. The host can access the Internet.