Enabling 802.1x re-authentication – H3C Technologies H3C WX3000 Series Unified Switches User Manual

23-11

z

The device sends authentication request (EAP-Request/Identity) packets to all the 802.1x-enabled
ports.

z

After the maximum number retries have been made and there are still ports that have not sent any
response back, the device will then add these ports to the Guest VLAN.

z

Users belonging to the Guest VLAN can access the resources of the Guest VLAN without being
authenticated. But they need to be authenticated when accessing external resources.

Normally, the Guest VLAN function is coupled with the dynamic VLAN delivery function.

Refer to AAA in H3C WX3000 Series Unified Switches Switching Engine Configuration Guide for
detailed information about the dynamic VLAN delivery function.

Enabling 802.1x re-authentication

802.1x re-authentication is timer-triggered or packet-triggered. It re-authenticates users who have
passed authentication. With 802.1x re-authentication enabled, the device can monitor the connection
status of users periodically. If the device receives no re-authentication response from a user in a period
of time, it tears down the connection to the user. To connect to the device again, the user needs to
initiate 802.1x authentication with the client software again.

Figure 23-10

802.1x re-authentication

PC

Internet

PC

PC

RADIUS

Server

Switch

802.1x re-authentication can be enabled in one of the following two ways:

z

The RADIUS server triggers the device to perform 802.1x re-authentication of users. The RADIUS
server sends the device an Access-Accept packet with the Termination-Action attribute field of 1.
Upon receiving the packet, the device re-authenticates users periodically.

z

You enable 802.1x re-authentication on the device. With 802.1x re-authentication enabled, the
device re-authenticates users periodically.