Item

Description

 

Specify whether to enable the online user handshake function.

 

The online user handshake function checks the connectivity status of online

 

802.1X users. The network access device sends handshake messages to online

 

users at the interval specified by the Handshake Period setting. If no response is

 

received from an online user after the maximum number of handshake attempts

HandShake

(set by the Retry Times setting) has been made, the network access device sets the

user in the offline state. For information about the timers, see 4.

 

 

IMPORTANT:

 

If the network has 802.1X clients that cannot exchange handshake packets with

 

the network access device, disable the online user handshake function to prevent

 

their connections from being inappropriately torn down.

 

 

 

Specify whether to enable periodic online user re-authentication on the port.

Enable Re-authentication

Periodic online user re-authentication tracks the connection status of online users

and updates the authorization attributes assigned by the server, such as the ACL,

 

and VLAN. The re-authentication interval is specified by the Re-Authentication

 

Period setting in 4.

 

 

Guest VLAN

Specify an existing VLAN as the guest VLAN. For more information, see

"Configuring an 802.1X guest VLAN."

 

 

 

Return to 802.1X configuration task list.

Configuring an 802.1X guest VLAN

Table 111 Configuration guidelines

You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different.

Assign different IDs for the voice VLAN, default VLAN, and 802.1X guest VLAN on a port, so the port can correctly process incoming VLAN tagged traffic.

With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.

Table 112 Configuration prerequisites

Create the VLAN to be specified as the 802.1X guest VLAN.

On the 802.1X-enabled port that performs port-based access control, enable 802.1X multicast trigger at the command line interface. (802.1X multicast trigger is enabled by default.)

Configuration examples

802.1X configuration example

Network requirements

As shown in a, it is required to perform 802.1X authentication on port GigabitEthernet 1/0/1 to control user access to the Internet, configure the access control method as MAC address based on the port, and enable periodic re-authentication of online users on the port, so that the server can periodically update the authorization information of the users.

334