beautypg.com

H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 270

background image

31-16

Table 31-7 Configuration items of the other four security modes

Item

Description

Port Mode

mac-else-userlogin-secure: This mode is the combination of the
mac-authentication and userlogin-secure modes, with MAC authentication having
a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs
only MAC authentication; upon receiving an 802.1X frame, the port performs
MAC authentication and then, if MAC authentication fails, 802.1X authentication.

mac-else-userlogin-secure-ext: This mode is similar to the
mac-else-userlogin-secure mode, except that it supports multiple 802.1X and
MAC authentication users on the port.

userlogin-secure-or-mac: This mode is the combination of the userlogin-secure
and mac-authentication modes, with 802.1X authentication having a higher
priority. For a wireless user, 802.1X authentication is performed first. If 802.1X
authentication fails, MAC authentication is performed.

userlogin-secure-or-mac-ext: This mode is similar to the userlogin-secure-or-mac
mode, except that it supports multiple 802.1X and MAC authentication users on
the port.

Max User

Control the maximum number of users allowed to access the network through the
port.

Mandatory Domain

Select an existing domain from the drop-down list. After a mandatory domain is
configured, all 802.1X users accessing the port are forced to use the mandatory
domain for authentication, authorization, and accounting.

The default domain is system. To create a domain, select Authentication > AAA
from the navigation tree, click the Domain Setup tab, and type a new domain name
in the Domain Name combo box.

Authentication Method

EAP: Use the Extensible Authentication Protocol (EAP). With EAP authentication,
the authenticator encapsulates 802.1X user information in the EAP attributes of
RADIUS packets and sends the packets to the RADIUS server for authentication;
it does not need to repackage the EAP packets into standard RADIUS packets for
authentication.

CHAP: Use the Challenge Handshake Authentication Protocol (CHAP). By
default, CHAP is used. CHAP transmits only usernames but not passwords over
the network. Therefore this method is safer.

PAP: Use the Password Authentication Protocol (PAP). PAP transmits
passwords in plain text.

Handshake

Enable: Enable the online user handshake function so that the device can
periodically send handshake messages to a user to check whether the user is
online. By default, the function is enabled.

Disable: Disable the online user handshake function.

Multicast Trigger

Enable: Enable the multicast trigger function of 802.1X to send multicast trigger
messages to the clients periodically for initiating authentication. By default, the
multicast trigger function is enabled.

Disable: Disable the 802.1X multicast trigger function.

For a WLAN, the clients can actively initiate authentication, or the AP can discover
users and trigger authentication. Therefore, the ports do not need to send 802.1X
multicast trigger messages periodically for initiating authentication. You are
recommended to disable the multicast trigger function in a WLAN because the
multicast trigger messages consume bandwidth.

MAC Authentication

Select the MAC Authentication check box.

Domain

Select an existing domain from the drop-down list.

The default domain is system. To create a domain, select Authentication > AAA
from the navigation tree, click the Domain Setup tab, and type a new domain name
in the Domain Name combo box.

The domain selected is applicable to only the current wireless service.