Enabling the proxy detection function – H3C Technologies H3C S7500E Series Switches User Manual

5-19

z

You need to disable proxy detection before disabling the online user handshake function.

z

Some 802.1X clients do not support exchanging handshake packets with the device. In this

case, you need to disable the online user handshake function on the device; otherwise the

device will tear down the connections with such online users for not receiving handshake

responses.

Enabling the Proxy Detection Function

With the proxy detection function enabled, the device can prevent users from logging in through

proxies, that is, authenticated 802.1X clients, so that no user can access network resources

through a proxy or bypass monitoring and accounting. If detecting that a user is logging in

through a proxy, the device will send a trap message to the network management system

or/and force the user to log off by sending an offline message.

The proxy detection function is based on the online user handshake function. Before enabling

the proxy detection function, make sure that the online user handshake function is enabled.

For the proxy detection function to take effect on a port, you must enable the function both

globally and on the port.

Follow these steps to configure the proxy detection function:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable the proxy detection

function globally

dot1x supp-proxy-check { logoff |

trap }

Required

Disabled by default

In system view

dot1x supp-proxy-check { logoff |

trap } interface interface-list

interface interface-type

interface-number

Enable the

proxy

detection

function on

one or more

ports

In Ethernet

interface view

dot1x supp-proxy-check { logoff |

trap }

Required

Use either approach.

Disabled by default

The proxy detection function requires the cooperation of the iNode client software.