H3C Technologies H3C S3100 Series Switches User Manual
Page 383
1-18
authentication domains for different ports even if the user certificates are from the same certificate
authority (that is, the user domain names are the same). This allows you to deploy 802.1X access
policies flexibly.
shows the relations of the 802.1X username entered for authentication, mandatory
authentication domain configured for the port connecting users, authentication domain for users, and
username suffix on the RADIUS server.
Table 1-3 Authentication domain configuration relations
802.1X
username
Mandatory
authentication
domain
Authentication
domain
Username
displayed
Commands used
Username
suffix
user-name-format
with-domain
Y
Not configured
Y
X@Y
user-name-format
without-domain
—
user-name-format
with-domain
Y
X@Y
Z Z X@Y
user-name-format
without-domain
—
user-name-format
with-domain
Default
domain
Not configured
Default domain
X@Default
domain
user-name-format
without-domain
—
user-name-format
with-domain
Z
X
Z Z X@Z
user-name-format
without-domain
—
Note that:
z
You can view usernames by using the display connection command on the device.
z
The above configuration relations are applicable to the switch with authentication domain Y or Z
configured. If the specified mandatory authentication domain on a port does not exist on the switch,
the 802.1X authentication fails.
With a mandatory authentication domain specified for a port, the system uses the mandatory
authentication domain for authentication, authorization, and accounting of all 802.1X users on the port.
Follow these steps to specify a mandatory authentication domain for a port:
Operation
Command
Remarks
Enter system view
system-view
—
Enter Ethernet interface view
interface interface-type
interface-number
—
Specify a mandatory authentication
domain for the port
dot1x mandatory-domain
domain-name
Required
Not specified by default