Enabling 802.1x re-authentication – H3C Technologies H3C S3100 Series Switches User Manual
Page 377
1-12
z
If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user goes
offline, the port returns to its initial VLAN, that is, the VLAN the port was in before it was added to
any authorized VLAN.
z
If the authentication server assigns no VLAN, the port returns to its initial VLAN. After the client
goes offline, the port still stays in its initial VLAN.
2) MAFV
For MAFV to take effect on a port, you must also enable the MAC VLAN function on the port. With both
MAFV and MAC VLAN configured on a port, the device will bind the MAC addresses of users failing
authentication with the Auth-Fail VLAN of the port, allowing the users to access resources in the
Auth-Fail VLAN.
If a user in the Auth-Fail VLAN initiates authentication again and passes the authentication, the device
will add the user to the assigned VLAN or return the user to the initial VLAN of the port, depending on
whether the authentication server assigns a VLAN.
At present, among the S3100 series Ethernet switches, only the S3100-EI series supports the Auth-Fail
VLAN function.
Enabling 802.1x re-authentication
802.1x re-authentication is timer-triggered or packet-triggered. It re-authenticates users who have
passed authentication. With 802.1x re-authentication enabled, the switch can monitor the connection
status of users periodically. If the switch receives no re-authentication response from a user in a period
of time, it tears down the connection to the user. To connect to the switch again, the user needs to
initiate 802.1x authentication with the client software again.
z
When re-authenticating a user, a switch goes through the complete authentication process. It
transmits the username and password of the user to the server. The server may authenticate the
username and password, or, however, use re-authentication for only accounting and user
connection status checking and therefore does not authenticate the username and password any
more.
z
An authentication server running CAMS authenticates the username and password during
re-authentication of a user in the EAP authentication mode but does not in PAP or CHAP
authentication mode.