1x timers, Configuration prerequisites – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

519

•

Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent

user can access the network through the port without authentication. When the authenticated user
logs off, all other users are logged off.

•

MAC-based access control—Each user is authenticated separately on a port. When a user logs off,
no other online users are affected.

802.1X timers

This section describes the timers used on an 802.1X device to guarantee that the client, the device, and

the RADIUS server can interact with each other correctly.

•

Username request timeout timer—Starts when the device sends an EAP-Request/Identity packet to
a client in response to an authentication request. If the device receives no response before this timer

expires, it retransmits the request. The timer also sets the interval at which the network device sends
multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.

•

Client timeout timer—Starts when the access device sends an EAP-Request/MD5 Challenge packet
to a client. If no response is received when this timer expires, the access device retransmits the

request to the client.

•

Server timeout timer—Starts when the access device sends a RADIUS Access-Request packet to the
authentication server. If no response is received when this timer expires, the access device

retransmits the request to the server.

•

Handshake timer—Sets the interval at which the access device sends client handshake requests to

check the online status of a client that has passed authentication. If the device receives no response
after sending the maximum number of handshake requests, it considers that the client has logged

off. For information about how to enable the online user handshake function, see "

Configuring

802.1X on a port

."

•

Quiet timer—Starts when the access device sends a RADIUS Access-Request packet to the
authentication server. If no response is received when this timer expires, the access device
retransmits the request to the server.

•

Periodic online user re-authentication timer—Sets the interval at which the network device
periodically re-authenticates online 802.1X users. For information about how to enable periodic

online user re-authentication on a port, see "

Configuring 802.1X on a port

."

Configuration prerequisites

•

Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For
more information, see "

Configuring AAA

" and "

Configuring RADIUS

."

•

If you use local authentication, create user accounts on the device and assign the LAN access
service to the users. For more information, see "

Configuring users

."

•

If you use RADIUS authentication, create user accounts on the RADIUS server.

•

Configure a special local EAP server on the device to use EAP relay if the RADIUS server does not
support any EAP authentication method or when local authentication is used. For more information,

see "

Configuring the local EAP service

."