3Com WX3000 Configuring a free IP range , Setting the ACL timeout period

2-2

Configuration Procedure

Configuring a free IP range

A free IP range is an IP range that users can access before passing 802.1x authentication.

Follow these steps to configure a free IP range:

To do… Use the command… Remarks

Enter system view system-view —

Configure the URL for HTTP

redirection dot1x url url-string Required

Configure a free IP range dot1x free-ip ip-address

{ mask-address | mask-length }

Required

By default, no free IP range is

configured.

z You must configure the URL for HTTP redirection before configuring a free IP range. A URL must

start with http:// and the segment where the URL resides must be in the free IP range. Otherwise,

the redirection function cannot take effect.

z You must disable the DHCP-triggered authentication function of 802.1x before configuring a free IP

range.

z With dot1x enabled but quick EAD deployment disabled, users cannot access the DHCP server if

they fail 802.1x authentication. With quick EAD deployment enabled, users can obtain IP

addresses dynamically before passing authentication if the IP address of the DHCP server is in the

free IP range.

z The quick EAD deployment function applies to only ports with the authorization mode set to auto

through the dot1x port-control command.

z Currently, the quick EAD deployment function is implemented based on only 802.1x authentication.

z Currently, the quick EAD deployment function does not support port security. The configured free

IP range cannot take effect if you enable port security.

Setting the ACL timeout period

The quick EAD deployment function depends on ACLs in restricting access of users failing

authentication. Each online user that has not passed authentication occupies a certain amount of ACL

resources. After a user passes authentication, the occupied ACL resources will be released. When a

large number of users log in but cannot pass authentication, the device may run out of ACL resources,

preventing other users from logging in. A timer called ACL timer is designed to solve this problem.

You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user

gets online. If the user has not passed authentication when the ACL timer expires, the occupied ACL

resources are released for other users to use. If the device has a larger number of users, you can

decrease the timeout period of the ACL timer appropriately for higher utilization of ACL resources.