74
•
Authentication
server
—Provides authentication services for the access device. The
authentication server first authenticates 802.1X clients by using the data sent from the access
device. Then, the server returns the authentication results to the access device to make access
decisions. The authentication server is typically a RADIUS server. In a small LAN, you can use
the access device as the authentication server.
802.1X authentication methods
The access device can perform EAP relay or EAP termination to communicate with the RADIUS
server.
•
EAP
termination
—The access device performs the following operations in EAP termination
mode:
a.
Terminates the EAP packets received from the client.
b.
Encapsulates the client authentication information in standard RADIUS packets.
c.
Uses PAP or CHAP to authenticate to the RADIUS server.
CHAP does not send plaintext password to the RADIUS server, and PAP sends plaintext
password to the RADIUS server.
•
EAP
relay
—The access device uses EAPOR packets to send authentication information to the
RADIUS server.
Access control methods
Comware implements port-based access control as defined in the 802.1X protocol, and extends the
protocol to support MAC-based access control.
•
Port-based access control
—Once an 802.1X user passes authentication on a port, all
subsequent users can access the network through the port without authentication. When the
authenticated user logs off, all other users are logged off.
•
MAC-based
access
control
—Each user is separately authenticated on a port. When a user
logs off, no other online users are affected.
Port authorization state
The port authorization state determines whether the client is granted access to the network. You can
control the authorization state of a port by using the following options:
•
Authorized
—Places the port in the authorized state, enabling users on the port to access the
network without authentication.
•
Unauthorized
—Places the port in the unauthorized state, denying any access requests from
users on the port.
•
Auto
—Places the port initially in unauthorized state to allow only EAPOL packets to pass. After
a user passes authentication, sets the port in the authorized state to allow access to the
network. You can use this option in most scenarios.
Periodic online user reauthentication
Periodic online user reauthentication tracks the connection status of online users, and updates the
authorization attributes assigned by the server. The attributes include the ACL, VLAN, and user
profile-based QoS. The reauthentication interval is user configurable.