Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure 802.1X Authentication and Secure Channel Authentication Property

If the 802.1X authentication function or the secure channel authentication function is not enabled on the interface, then the configured related property does not take effect.

Configure Port Authentication Mode

The 802.1X authentication mode includes relay authentication mode and terminating authentication mode.

802.1X authentication system comprises client, authentication device and authentication server. The standard 802.1X protocol defines that the client and authentication server interact via the EAP packet. The authentication device plays as the “relay” role during the interacting. The authentication device encapsulates the EAP data sent by the client in the other protocol, such as the RADIUS protocol, and send to the authentication server. Similarly, the authentication device encapsulates the EAP data sent by the authentication server in the EAPOL packet and forwards to the client. The interacting mode is called relay authentication mode. The relay authentication mode requires that the authentication server supports the EAP protocol. Configuring the authentication mechanism supported by the EAP relay authentication mode depends on the client and authentication server.

The earlier deployed authentication server may not support the EAP protocol and needs to be configured as the terminating authentication mode. The EAP packet of the client is not directly sent to the authentication server, but the authentication device completes the EAP packet interacting with the client. After getting the enough user authentication information, the authentication device sends the authentication information to the authentication server for authentication.

EAP terminating authentication mode supports PAP (Password Authentication Protocol) authentication and CHAP (Challenge Handshake Authentication Protocol) authentication.

Table 12-7 Configure the port authentication mode

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the port authentication mode

dot1x eap-relay { enable | disable }

Mandatory

By default, the authentication mode in the port is the terminating authentication mode.

note


  • Configuring terminating authentication mode only supports the MD5-based (Message Digest Algorithm) EAP authentication. The 802.1x authentication function and secure channel authentication function support the relay and terminating authentication mode.
  • When the client adopts the certificate authentication, the authentication port needs to be configured as the relay authentication mode.
  • The MAC address authentication can only support the terminating authentication mode.

Configure Multicast Triggering Function

Some terminal is installed with the 802.1X authentication client, but the client does not actively initiates the authentication. The authentication process can only depend on the authentication device to trigger. The authentication device periodically sends the multicast packet requesting the user name to the port configured with the multicast triggering. After receiving the packet, the client answers the authentication request of the authentication device and starts the 802.1X authentication.

Table 12–8 Configure the multicast triggering function

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

 

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Enable the multicast trigger

dot1x multicast-trigger

Mandatory

By default, the multicast trigger function in the port is disabled.

Configure the triggering period of the multicast

dot1x multicast-period multicast-period-value

Optional

By default, the multicast trigger time in the port is 15s.

note


  • If the client does not support the multicast trigger function, the adapter display of the client may be abnormal. Meanwhile, it may cause the re-authentication failure.

Configure Re-authentication Function

To check whether the client is online, avoid the abnormal crashing of the client affecting the correctness of the user accounting, and prevent the client from being used by others, the authentication device periodically initiates the re-authentication request to the client. During the process, the user does not need to input the user name or password again.

Table 12-9 Configure the re-authentication function

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the re-authentication

dot1x reauthentication

Mandatory

By default, the re-authentication function is enabled in the port.

Configure Maximum Authentication Failure Times

After the client authentication failure times reach the threshold, the client enters the dead state. During the dead time, the authentication device does not answer the authentication request initiated by the client any more.

Table 12–10 Configure the maximum authentication failure times

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

 

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the maximum port authentication failure times

dot1x max-authfail max-authfail-value

Mandatory

By default, the maximum authentication failure time of the port is 1.

Configure Packet Transparent Transmission Function

In the actual application environment, the authentication terminal and authentication device may cross the intermediate device. If the intermediate device cannot transmit the EAPOL packet transparently, the authentication cannot be performed normally. To make the authentication be done normally, we need to enable the function of transmitting the EAPOL packet transparently on the port of the intermediate device receiving the EAPOL packet and configure one uplink port for the port. If the port enabled with the function of transmitting the EAPOL packet transparently receives the EAPOL packet, send the packet from the configured uplink port. If the device directly connected to the uplink port is authentication device, the authentication device processes after receiving the EAPOL packet.

Table 12–11 Configure the packet transparent transmission function

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the packet transparent transmission function

dot1x eapol-relay { enable | disble }

Mandatory

By default, the function of transmitting the packet transparently in the port is disabled.

Configure the uplink port

dot1x eapol-relay uplink { interface interface-name | link-aggregation link-aggregation-id }

Mandatory

By default, the port is not configured with the uplink port.

Configure Keepalive Function

To detect whether the client is online, the authentication device periodically sends the EAP-Request/Identity packet to the client. If receiving the EAP-Response/Identity packet from the client, send the EAP-Request/MD5 Challenge packet to the client. If authentication system receives the EAP-Response/MD5 Challenge packet, confirm that the client is online normally and send the EAP-Success packet to inform the client of keepalive success.

Table 12–12 Configure the keepalive function

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the keepalive function

dot1x keepalive { enable | disable }

Mandatory

By default, the keepalive function in the port is disabled.

Configure the keepalive time

dot1x keepalive period period-value

Optional

By default, the keepalive period in the port is 60s.

Configure the times of re-transmitting the keepalive packet

dot1x keepalive retries

retries-value

Optional

By default, the maximum keepalive time in the port is 3.

Configure the keepliave type

dot1x keepalive type { request-identity | request-md5}

Optional

By default, the keepalive type in the port is the standard keeplive.

note


  • The keepalive function needs to be supported by the 802.1X authentication client software (such as Maipu TC client). If the client does not support, it may result in the keepalive failure and the user gets offline.

Configure Not Waiting for Server Response

In the relay authentication mode, the client may send some packets that the server does not answer. The packets make the session channel between the authentication device and the authentication server be occupied and as a result, the subsequent client authentication fails. We can enable the function of not waiting for the server response in the port to avoid the problem.

Table 12-13 Configure the function of not waiting for the server response

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the function of not waiting for the server response

dot1x nowait-result

Mandatory

By default, the function of not waiting for the server response is disabled.