1x extensions, Features working together with 802.1x, Vlan assignment – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 391: Features working together with 802.1x -10
35-10
Client timeout timer: Once a device sends an EAP-Request/MD5 Challenge packet to a client, it
starts this timer. If this timer expires but it receives no response from the client, it retransmits the
request.
Server timeout timer: Once a device sends a RADIUS Access-Request packet to the
authentication server, it starts this timer. If this timer expires but it receives no response from the
server, it retransmits the request.
Handshake timer: After a client passes authentication, the device sends to the client handshake
requests at this interval to check whether the client is online. If the device receives no response
after sending the allowed maximum number of handshake requests, it considers that the client is
offline.
Quiet timer (quiet-period): When a client fails the authentication, the device refuses further
authentication requests from the client in this period of time.
Periodic re-authentication timer: If periodic re-authentication is enabled on a port, the device
re-authenticates online users on the port at the interval specified by this timer.
802.1X Extensions
The devices extend and optimize the mechanism that the 802.1X protocol specifies by:
Allowing multiple users to access network services through the same physical port.
Supporting two port access control methods: MAC-based access control and port-based access
control. With the MAC-based access control method configured on a port, all users of the port must
be authenticated separately, and when a user goes offline, no other users are affected. With the
port-based access control method configured on a port, after a user connected to the port passes
authentication, all subsequent users of the port can access network resources without
authentication. However, when the authenticated user goes offline, the others are denied as well.
Features Working Together with 802.1X
VLAN assignment
After an 802.1X user passes the authentication, the server will send an authorization message to the
device. If the server is configured with the VLAN assignment function, the assigned VLAN information
will be included in the message. The device, depending on the link type of the port used to log in, adds
the port to the assigned VLAN according to the following rules:
If the port link type is Access, the port leaves its initial VLAN, that is, the VLAN configured for it and
joins the assigned VLAN.
If the port link type is Trunk, the assigned VLAN is allowed to pass the current trunk port. The
default VLAN ID of the port is that of the assigned VLAN.
If the port link type is Hybrid, the assigned VLAN is allowed to pass the current port without carrying
the tag. The default VLAN ID of the port is that of the assigned VLAN. Note that if the Hybrid port is
assigned a MAC-based VLAN, the device will dynamically create a MAC-based VLAN according to
the VLAN assigned by the authentication server, and remain the default VLAN ID of the port
unchanged.