Displaying and maintaining 802.1x, 1x authentication configuration example, Network requirements – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 139

125

•

If the iNode clients can upload their IP addresses during authentication, disable the accounting

delay feature for efficiency.

•

If the iNode clients cannot upload their IP addresses, make sure the delay setting is equal to or less
than the accounting delay that the EAD policy allows to prevent access failures. H3C recommends

a delay equal to or less than 20 seconds.

To configure the accounting delay feature on an 802.1X-enabled port:

Step Command

Remarks

Enter system view.

system-view

N/A

Enter Ethernet interface
view.

interface interface-type interface-number

N/A

Configure the accounting
delay settings.

dot1x accounting-delay [ action logoff |
time time ] *

Optional.
By default, accounting delay is
disabled.

Displaying and maintaining 802.1X

Task Command

Remarks

Display 802.1X session
information, statistics, or
configuration information of

specified or all ports.

display dot1x [ sessions |
statistics ] [ interface interface-list ]
[ | { begin | exclude | include }

regular-expression ]

Available in any view

Clear 802.1X statistics.

reset dot1x statistics [ interface
interface-list ]

Available in user view

802.1X authentication configuration example

Network requirements

As shown in

Figure 62

, the AC performs 802.1X authentication for users that connect to the AP. Implement

MAC-based access control on the WLAN-ESS port, so the logoff of one user does not affect other online

802.1X users.
Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If

RADIUS authentication fails, perform local authentication on the AC. If RADIUS accounting fails, the AC

logs the user off.
Configure the host at 10.1.1.1 as the primary authentication server and the secondary accounting server,
and the host at 10.1.1.2 as the secondary authentication server and the primary accounting server.

Assign all users to the ISP domain aabbcc.net, which accommodates up to 30 users.
Configure the shared key as name for packets between the AC and the authentication and accounting

servers.
Configure the AC to try up to five times at 5–second intervals in transmitting a packet to the RADIUS

server, and to send accounting packets to the accounting server every 15 minutes. Configure the AC to

remove the domain name from the username before passing the username to the RADIUS server.

This manual is related to the following products:

H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points H3C S10500 Series Switches H3C S5800 Series Switches H3C S5820X Series Switches H3C S12500 Series Switches H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SR8800 H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000