Enabling 802.1x re-authentication – H3C Technologies H3C S3600 Series Switches User Manual

1-11

z

The switch sends authentication triggering request (EAP-Request/Identity) packets to all the

802.1x-enabled ports.

z

After the maximum number retries have been made and there are still ports that have not sent any

response back, the switch will then add these ports to the guest VLAN.

z

Users belonging to the guest VLAN can access the resources of the guest VLAN without being

authenticated. But they need to be authenticated when accessing external resources.

Normally, the guest VLAN function is coupled with the dynamic VLAN delivery function.

Refer to AAA Operation for detailed information about the dynamic VLAN delivery function.

Enabling 802.1x re-authentication

802.1x re-authentication is timer-triggered or packet-triggered. It re-authenticates users who have

passed authentication. With 802.1x re-authentication enabled, the switch can monitor the connection

status of users periodically. If the switch receives no re-authentication response from a user in a period

of time, it tears down the connection to the user. To connect to the switch again, the user needs to

initiate 802.1x authentication with the client software again.

z

When re-authenticating a user, a switch goes through the complete authentication process. It

transmits the username and password of the user to the server. The server may authenticate the

username and password, or, however, use re-authentication for only accounting and user

connection status checking and therefore does not authenticate the username and password any

more.

z

An authentication server running CAMS authenticates the username and password during

re-authentication of a user in the EAP authentication mode but does not in PAP or CHAP

authentication mode.

Figure 1-10 802.1x re-authentication

PC

Internet

PC

PC

RADIUS

Server

Switch

802.1x re-authentication can be enabled in one of the following two ways: