Extended functions, Authorized vlan assignment, Vlan assigned to terminals failing authentication – H3C Technologies H3C S3100 Series Switches User Manual

1-2

z

Upon startup, a terminal triggers MAC authentication first on the access device. If it passes MAC

authentication, no other types of authentication will be performed. If it fails, 802.1X or Web

authentication can be triggered.

z

If a terminal sends an EAP packet using the 802.1X client or a thirty-party client, only 802.1X

authentication is triggered for the terminal on the access device.

z

If a terminal sends an HTTP packet, Web authentication is triggered for the terminal on the access

device.

For terminals passing a type of authentication, the following principles are followed:

z

After a terminal passes 802.1X authentication or Web authentication, no other types of

authentication will be triggered for the terminal.

z

After a terminal passes MAC authentication, no Web authentication will be triggered for the

terminal but 802.1X authentication can be triggered for it, and the 802.1X authentication

information will overwrite the MAC authentication information for the terminal.

If both MAC authentication and Web authentication are enabled on an interface that is configured with a

static MAC address binding for a connected client, the client still needs to pass authentication before

going online. To make the client free from authentication, you can execute the web-authentication

free-user command or configure an ACL rule to permit packets sourced from the client to pass.

Extended Functions

A port enabled with the three types of authentication also supports the following extended functions.

Authorized VLAN assignment

After a terminal passes authentication, the server assigns an authorized VLAN to the access port

connected to that terminal and then the access port adds the terminal to the authorized VLAN.

For information about VLAN assignment, refer to AAA Operation.

VLAN assigned to terminals failing authentication

After a terminal fails authentication, the access port adds the terminal to a preconfigured VLAN.

z

For 802.1X and portal authentication terminals, the preconfigured VLAN refers to the Auth-Fail

VLAN configured on the access port.

z

For MAC authentication terminals, the preconfigured VLAN refers to the Guest VLAN or the

Auth-Fail VLAN configured on the access port.

Detection of online terminals

z

An idle user checking interval can be enabled to detect online Web authenticated terminals.

z

The online handshake function or re-authentication function can be enabled to detect online

802.1X authentication terminals at a configurable interval.

z

An offline detection timer can be enabled to detect online MAC authentication terminals at a

configurable interval.