H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 544
523
Item Description
Port Control
Set the access control method for the port: MAC Based or Port Based.
NOTE:
To use both 802.1X and portal authentication on a port, you must select MAC Based.
Port Authorization
Select the port authorization state for 802.1X.
Options include:
•
Auto—Places the port initially in unauthorized state to allow only EAPOL packets to
pass, and after a user passes authentication, sets the port in authorized state to allow
access to the network. You can use this option in most scenarios.
•
Force-Authorized—Places the port in authorized state, enabling users on the port to
access the network without authentication.
•
Force-Unauthorized—Places the port in unauthorized state, denying any access
requests from users on the port.
Max Number of
Users
Set the maximum number of concurrent 802.1X users on the port. The maximum number
varies by device model. For more information, see "
About the H3C Access Controllers
."
Enable Handshake
Specify whether to enable the online user handshake function.
The online user handshake function checks the connectivity status of online 802.1X users.
The network access device sends handshake messages to online users at the interval
specified by the Handshake Period setting. If no response is received from an online user
after the maximum number of handshake attempts (set by the Retry Times setting) has
been made, the network access device sets the user in offline state. For information about
the timers, see "
."
NOTE:
If the network has 802.1X clients that cannot exchange handshake packets with the network
access device, disable the online user handshake function to prevent their connections from
being inappropriately torn down.
Enable
Re-Authentication
Specify whether to enable periodic online user re-authentication on the port.
Periodic online user re-authentication tracks the connection status of online users and
updates the authorization attributes assigned by the server, such as the ACL, and VLAN.
The re-authentication interval is specified by the Re-Authentication Period setting in
NOTE:
•
The periodic online user re-authentication timer can also be set by the authentication
server in the session-timeout attribute. The server-assigned timer overrides the timer
setting on the access device, and enables periodic online user re-authentication, even
if the function is not configured. Support for the server assignment of re-authentication
timer and the re-authentication timer configuration on the server vary with servers.
•
The VLAN assignment status must be consistent before and after re-authentication. If
the authentication server has assigned a VLAN before re-authentication, it must also
assign a VLAN at re-authentication. If the authentication server has assigned no VLAN
before re-authentication, it must not assign one at re-authentication. Violation of either
rule can cause the user to be logged off. The VLANs assigned to an online user before
and after re-authentication can be the same or different.
Guest VLAN
Specify an existing VLAN as the guest VLAN. For more information, see "
."