1x configuration example, Network requirements – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

305

Item Description

Max Number of Users

Set the maximum number of concurrent 802.1X users on the port.

Enable Handshake

Specify whether to enable the online user handshake function.

Enable Re-Authentication

Specify whether to enable periodic online user re-authentication on the port.

Guest VLAN

Specify an existing VLAN as the guest VLAN.

IMPORTANT:

Assign different VLAN IDs for the voice VLAN, the default VLAN of the port, and the

802.1X guest VLAN so that the port can correctly process incoming VLAN traffic.

Enable MAC VLAN

Select the box to enable MAC-based VLAN.
Required when MAC Based is selected for Port Control.

IMPORTANT:

Only hybrid ports support the feature.

Auth-Fail VLAN

Specify an existing VLAN as the Auth-Fail VLAN to accommodate users that have
failed 802.1X authentication.

IMPORTANT:

•

If a user fails both 802.1X and MAC authentication on a port that implements
MAC-based access control, the user is in the 802.1X Auth-Fail VLAN.

•

Assign different VLAN IDs for the voice VLAN, the default VLAN of the port,

and the 802.1X Auth-Fail VLAN so that the port can correctly process the
incoming VLAN traffic.

802.1X configuration example

Network requirements

•

As shown in

Figure 284

, perform 802.1X authentication on port GigabitEthernet 1/0/1 to control

user access to the Internet, configure the access control method as MAC address based on the port,
and enable periodic re-authentication of online users on the port, so that the server can periodically

update the authorization information of the users.

•

All users belong to default domain test. RADIUS authentication is performed. If RADIUS accounting
fails, the switch gets the corresponding user offline. The RADIUS servers run CAMS or iMC.

•

A server group with two RADIUS servers is connected to the switch. The IP addresses of the servers
are 10.1.1.1 and 10.1.1.2 respectively. Use the former as the primary authentication/secondary

accounting server, and the latter as the secondary authentication/primary accounting server.

•

Set the shared key for the device to exchange packets with the authentication server as name, and
that for the device to exchange packets with the accounting server as money.

•

Specify the device to try up to five times at an interval of 5 seconds in transmitting a packet to the
RADIUS server until it receives a response from the server, and to send real time accounting packets

to the accounting server every 15 minutes.

•

Specify the device to remove the domain name from the username before passing the username to
the RADIUS server.