•Handshake timer—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off. For information about how to enable the online user handshake function, see "Configuring 802.1X on a port."
•Quiet timer—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.
•Periodic online user re-authentication timer—Sets the interval at which the network device periodically re-authenticates online 802.1X users. For information about how to enable periodic online user re-authentication on a port, see "Configuring 802.1X on a port."
Using 802.1X authentication with other features
VLAN assignment
You can configure the authentication server to assign a VLAN for an 802.1X user that has passed authentication. The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X access control mode.
| Access control | VLAN manipulation |
| | Assigns the VLAN to the port as the port VLAN (PVID). The authenticated 802.1X |
| Port-based | user and all subsequent 802.1X users can access the VLAN without authentication. |
| When the user logs off, the previous PVID restores, and all other online users are |
| |
| | logged off. |
| | |
| | • If the port is a hybrid port with MAC-based VLAN enabled, the device maps the |
| | MAC address of each user to the VLAN assigned by the authentication server. |
| | The PVID of the port does not change. When a user logs off, the MAC-to-VLAN |
| | mapping for the user is removed. |
| MAC-based | • If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, the |
| | device assigns the first authenticated user's VLAN to the port as the PVID. If a |
| | different VLAN is assigned to a subsequent user, the user cannot pass the |
| | authentication. To avoid the authentication failure of subsequent users, be sure to |
| | assign the same VLAN to all 802.1X users on these ports. |
| | |
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.
On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed.
Guest VLAN
You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. Once a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.
•On a port that performs port-based access control:
329
