H3C Technologies H3C WX3000E Series Wireless Switches User Manual

523

Item Description

Port Control

Set the access control method for the port: MAC Based or Port Based.

NOTE:

To use both 802.1X and portal authentication on a port, you must select MAC Based.

Port Authorization

Select the port authorization state for 802.1X.
Options include:

•

Auto—Places the port initially in unauthorized state to allow only EAPOL packets to

pass, and after a user passes authentication, sets the port in authorized state to allow
access to the network. You can use this option in most scenarios.

•

Force-Authorized—Places the port in authorized state, enabling users on the port to

access the network without authentication.

•

Force-Unauthorized—Places the port in unauthorized state, denying any access

requests from users on the port.

Max Number of
Users

Set the maximum number of concurrent 802.1X users on the port. The maximum number
varies by device model. For more information, see "

About the H3C Access Controllers

Web-Based Configuration Guide

."

Enable Handshake

Specify whether to enable the online user handshake function.
The online user handshake function checks the connectivity status of online 802.1X users.

The network access device sends handshake messages to online users at the interval
specified by the Handshake Period setting. If no response is received from an online user

after the maximum number of handshake attempts (set by the Retry Times setting) has

been made, the network access device sets the user in offline state. For information about
the timers, see "

802.1X timers

."

NOTE:

If the network has 802.1X clients that cannot exchange handshake packets with the network
access device, disable the online user handshake function to prevent their connections from

being inappropriately torn down.

Enable
Re-Authentication

Specify whether to enable periodic online user re-authentication on the port.
Periodic online user re-authentication tracks the connection status of online users and
updates the authorization attributes assigned by the server, such as the ACL, and VLAN.

The re-authentication interval is specified by the Re-Authentication Period setting in

Table

167

.

NOTE:

•

The periodic online user re-authentication timer can also be set by the authentication

server in the session-timeout attribute. The server-assigned timer overrides the timer
setting on the access device, and enables periodic online user re-authentication, even

if the function is not configured. Support for the server assignment of re-authentication

timer and the re-authentication timer configuration on the server vary with servers.

•

The VLAN assignment status must be consistent before and after re-authentication. If

the authentication server has assigned a VLAN before re-authentication, it must also

assign a VLAN at re-authentication. If the authentication server has assigned no VLAN
before re-authentication, it must not assign one at re-authentication. Violation of either

rule can cause the user to be logged off. The VLANs assigned to an online user before

and after re-authentication can be the same or different.

Guest VLAN

Specify an existing VLAN as the guest VLAN. For more information, see "

Configuring an

802.1X guest VLAN

."