Configuring the online user handshake function, Configuring the authentication trigger function – H3C Technologies H3C S6300 Series Switches User Manual
Page 89
74
Step Command
Remarks
3.
Set the server timeout
timer.
dot1x timer server-timeout
server-timeout-value
The default is 100 seconds.
Configuring the online user handshake function
The online user handshake function checks the connectivity status of online 802.1X users. The network
access device sends handshake messages to online users at the interval specified by the dot1x timer
handshake-period command. If no response is received from an online user after the access device has
made the maximum handshake attempts (set by the dot1x retry command), the device sets the user to the
offline state.
If the network has 802.1X clients that cannot exchange handshake packets with the network access
device, disable the online user handshake function to prevent their connections from being
inappropriately torn down.
To configure the online user handshake function:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
(Optional.) Set the handshake
timer.
dot1x timer handshake-period
handshake-period-value
The default is 15 seconds.
3.
Enter Layer 2 Ethernet
interface view.
interface interface-type
interface-number
N/A
4.
Enable the online handshake
function.
dot1x handshake
By default, the function is enabled.
Configuring the authentication trigger function
The authentication trigger function enables the network access device to initiate 802.1X authentication
when 802.1X clients cannot initiate authentication.
This function provides the following types of authentication trigger:
•
Multicast trigger—Periodically multicasts Identity EAP-Request packets out of a port to detect 802.1X
clients and trigger authentication.
•
Unicast trigger—Enables the network device to initiate 802.1X authentication when it receives a
data frame from an unknown source MAC address. The device sends a unicast Identity
EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has
received no response within a period of time. This process continues until the maximum number of
request attempts set with the dot1x retry command is reached (see "
of authentication request attempts
").
The identity request timeout timer sets both the identity request interval for the multicast trigger and the
identity request timeout interval for the unicast trigger.