beautypg.com

1x extensions, Features working together with 802.1x, Vlan assignment – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 391: Features working together with 802.1x -10

background image

35-10

Client timeout timer: Once a device sends an EAP-Request/MD5 Challenge packet to a client, it

starts this timer. If this timer expires but it receives no response from the client, it retransmits the

request.

Server timeout timer: Once a device sends a RADIUS Access-Request packet to the

authentication server, it starts this timer. If this timer expires but it receives no response from the

server, it retransmits the request.

Handshake timer: After a client passes authentication, the device sends to the client handshake

requests at this interval to check whether the client is online. If the device receives no response

after sending the allowed maximum number of handshake requests, it considers that the client is

offline.

Quiet timer (quiet-period): When a client fails the authentication, the device refuses further

authentication requests from the client in this period of time.

Periodic re-authentication timer: If periodic re-authentication is enabled on a port, the device

re-authenticates online users on the port at the interval specified by this timer.

802.1X Extensions

The devices extend and optimize the mechanism that the 802.1X protocol specifies by:

Allowing multiple users to access network services through the same physical port.

Supporting two port access control methods: MAC-based access control and port-based access

control. With the MAC-based access control method configured on a port, all users of the port must

be authenticated separately, and when a user goes offline, no other users are affected. With the

port-based access control method configured on a port, after a user connected to the port passes

authentication, all subsequent users of the port can access network resources without

authentication. However, when the authenticated user goes offline, the others are denied as well.

Features Working Together with 802.1X

VLAN assignment

After an 802.1X user passes the authentication, the server will send an authorization message to the

device. If the server is configured with the VLAN assignment function, the assigned VLAN information

will be included in the message. The device, depending on the link type of the port used to log in, adds

the port to the assigned VLAN according to the following rules:

If the port link type is Access, the port leaves its initial VLAN, that is, the VLAN configured for it and

joins the assigned VLAN.

If the port link type is Trunk, the assigned VLAN is allowed to pass the current trunk port. The

default VLAN ID of the port is that of the assigned VLAN.

If the port link type is Hybrid, the assigned VLAN is allowed to pass the current port without carrying

the tag. The default VLAN ID of the port is that of the assigned VLAN. Note that if the Hybrid port is

assigned a MAC-based VLAN, the device will dynamically create a MAC-based VLAN according to

the VLAN assigned by the authentication server, and remain the default VLAN ID of the port

unchanged.