Configuration Procedure

Configuring a free IP range

A free IP range is an IP range that users can access before passing 802.1x authentication.

Follow these steps to configure a free IP range:

 

To do…

Use the command…

Remarks

 

 

Enter system view

system-view

 

 

 

 

 

 

 

Configure the URL for HTTP

dot1x url url-string

Required

 

 

redirection

 

 

 

 

 

 

 

 

 

 

 

 

dot1x free-ip ip-address

Required

 

 

Configure a free IP range

By default, no free IP range is

 

 

{ mask-address mask-length }

 

 

 

configured.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

z

z

z

z

z z

You must configure the URL for HTTP redirection before configuring a free IP range. A URL must start with http:// and the segment where the URL resides must be in the free IP range. Otherwise, the redirection function cannot take effect.

You must disable the DHCP-triggered authentication function of 802.1x before configuring a free IP range.

With dot1x enabled but quick EAD deployment disabled, users cannot access the DHCP server if they fail 802.1x authentication. With quick EAD deployment enabled, users can obtain IP addresses dynamically before passing authentication if the IP address of the DHCP server is in the free IP range.

The quick EAD deployment function applies to only ports with the authorization mode set to auto through the dot1x port-controlcommand.

Currently, the quick EAD deployment function is implemented based on only 802.1x authentication. Currently, the quick EAD deployment function does not support port security. The configured free IP range cannot take effect if you enable port security.

Setting the ACL timeout period

The quick EAD deployment function depends on ACLs in restricting access of users failing authentication. Each online user that has not passed authentication occupies a certain amount of ACL resources. After a user passes authentication, the occupied ACL resources will be released. When a large number of users log in but cannot pass authentication, the device may run out of ACL resources, preventing other users from logging in. A timer called ACL timer is designed to solve this problem.

You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online. If the user has not passed authentication when the ACL timer expires, the occupied ACL resources are released for other users to use. If the device has a larger number of users, you can decrease the timeout period of the ACL timer appropriately for higher utilization of ACL resources.

2-2

Page 244
Image 244
3Com WX3000 Configuring a free IP range, Setting the ACL timeout period, Dot1x url url-string, Dot1x free-ip ip-address