beautypg.com

Advanced 802.1x configuration – H3C Technologies H3C S3100 Series Switches User Manual

Page 382

background image

1-17

Operation

Command

Remarks

Set 802.1x timers

dot1x timer
{ handshake-period
handshake-period-value |
quiet-period
quiet-period-value |
server-timeout
server-timeout-value |
supp-timeout
supp-timeout-value |
tx-period tx-period-value |
ver-period ver-period-value }

Optional

The settings of 802.1x timers are as
follows.

z

handshake-period-value: 15 seconds

z

quiet-period-value: 60 seconds

z

server-timeout-value: 100 seconds

z

supp-timeout-value: 30 seconds

z

tx-period-value: 30 seconds

z

ver-period-value: 30 seconds

Enable the quiet-period
timer

dot1x quiet-period

Optional

By default, the quiet-period timer is
disabled.

z

As for the dot1x max-user command, if you execute it in system view without specifying the

interface-list argument, the command applies to all ports. You can also use this command in port

view. In this case, this command applies to the current port only and the interface-list argument is

not needed.

z

As for the configuration of 802.1x timers, the default values are recommended.

Advanced 802.1x Configuration

Advanced 802.1x configurations, as listed below, are all optional.

z

Specifying a Mandatory Authentication Domain for a Port

z

Configuration concerning CAMS, including multiple network adapters detecting, proxy detecting,

and so on.

z

Client version checking configuration

z

DHCP–triggered authentication

z

Configuration of Unicast trigger for 802.1X Authentication

z

Guest VLAN configuration

z

Configuration of Auth-Fail VLAN for 802.1X Authentication

z

802.1x re-authentication configuration

z

Configuration of the 802.1x re-authentication timer

You need to configure basic 802.1x functions before configuring the above 802.1x features.

Specifying a Mandatory Authentication Domain for a Port

By specifying a mandatory authentication domain for a port, you can implement a security control policy

for 802.1X users. That is, the system uses the mandatory authentication domain for authentication,

authorization, and accounting of all 802.1X users on the port, thus to prevent those users from using

other accounts to access the network.

Meanwhile, for EAP relay mode 802.1X authentication that uses certificates, the certificate of a user

determines the authentication domain of the user. However, you can specify different mandatory

See also other documents in the category H3C Technologies Routers: