402 CHAPTER 21: 802.1X CONFIGURATION
Configuration procedure
1Enter system view.
<S5500> system-view
2Create VLAN 2.
[S5500] vlan 2
3Enter Ethernet1/0/1 port view.
[S5500] interface ethernet1/0/1
4Configure the port to operate in port-based authentication mode.
[S5500-Ethernet1/0/1] dot1x port-method portbased
5Configure Guest VLAN for the port.
[S5500-Ethernet1/0/1] dot1x guest-vlan 2
The 802.1x Trusted MAC
Address Synchronization
Function
Trusted MAC address here refers to the MAC address of a supplicant system that
passes 802.1x authentication and MAC address-based authentication. In this case,
the MAC address becomes a trusted Mac address. The 802.1x trusted MAC Address
synchronization function propagates the trusted MAC addresses in IRF (intelligent
resilient framework) if the corresponding supplicant systems pass the authentication
performed by IRF-enabled switches.
■In an IRF that does not support the 802.1x trusted MAC address synchronization
function, an authentication operation is only performed in the unit where the port
with the supplicant system attached resides in. And after the supplicant system
passes the authentication, its MAC address is not propagated to other units (That
is, the MAC address can only be recognized by the unit the supplicant system
directly connected to.) This may result in broadcast storms in the fabric.
■In an IRF that supports the 802.1x trusted MAC address synchronization function,
the MAC address of an authenticated supplicant system is propagated in all units
of the fabric. And when the supplicant system logs off, all the units in the fabric
remove the corresponding MAC address. That is, trusted MAC addresses are
synchronized in all units whenever supplicant systems join in or leave a fabric.
802.1x Supplicant
System Checking
When accompanied by a CAMS server, a Switch 5500 can check for:
■Supplicant systems logging in through proxies
■Supplicant systems logging in through IE proxies
■Whether or not a supplicant system logs in with more than one network adapters
installed in it being active
A Switch 5500 can optionally take the following measures against any of the three
cases:
■Disconnecting the supplicant system and sending Trap packets (This can be
achieved by using the dot1x supp-proxy-check logoff command.)
■Sending Trap packets without disconnecting the supplicant system (This can be
achieved by using the dot1x supp-proxy-check trap command.)
To achieve this function, following are to meet for 802.1x clients and CAMS.
■The 802.1x clients are capable of detecting multiple network adapters, proxies,
and IE proxies.