If the 802.1X authentication function or the secure channel authentication function is not enabled on the interface, then the configured related property does not take effect.
Configure Port Authentication Mode
The 802.1X authentication mode includes relay authentication mode and terminating authentication mode.
802.1X authentication system comprises client, authentication device and authentication server. The standard 802.1X protocol defines that the client and authentication server interact via the EAP packet. The authentication device plays as the “relay” role during the interacting. The authentication device encapsulates the EAP data sent by the client in the other protocol, such as the RADIUS protocol, and send to the authentication server. Similarly, the authentication device encapsulates the EAP data sent by the authentication server in the EAPOL packet and forwards to the client. The interacting mode is called relay authentication mode. The relay authentication mode requires that the authentication server supports the EAP protocol. Configuring the authentication mechanism supported by the EAP relay authentication mode depends on the client and authentication server.
The earlier deployed authentication server may not support the EAP protocol and needs to be configured as the terminating authentication mode. The EAP packet of the client is not directly sent to the authentication server, but the authentication device completes the EAP packet interacting with the client. After getting the enough user authentication information, the authentication device sends the authentication information to the authentication server for authentication.
EAP terminating authentication mode supports PAP (Password Authentication Protocol) authentication and CHAP (Challenge Handshake Authentication Protocol) authentication.
Table 12-7 Configure the port authentication mode
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the port authentication mode
|
dot1x eap-relay { enable | disable }
|
Mandatory
By default, the authentication mode in the port is the terminating authentication mode.
|
-
Configuring terminating authentication mode only supports the MD5-based (Message Digest Algorithm) EAP authentication. The 802.1x authentication function and secure channel authentication function support the relay and terminating authentication mode.
- When the client adopts the certificate authentication, the authentication port needs to be configured as the relay authentication mode.
- The MAC address authentication can only support the terminating authentication mode.
Configure Multicast Triggering Function
Some terminal is installed with the 802.1X authentication client, but the client does not actively initiates the authentication. The authentication process can only depend on the authentication device to trigger. The authentication device periodically sends the multicast packet requesting the user name to the port configured with the multicast triggering. After receiving the packet, the client answers the authentication request of the authentication device and starts the 802.1X authentication.
Table 12–8 Configure the multicast triggering function
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Enable the multicast trigger
|
dot1x multicast-trigger
|
Mandatory
By default, the multicast trigger function in the port is disabled.
|
|
Configure the triggering period of the multicast
|
dot1x multicast-period multicast-period-value
|
Optional
By default, the multicast trigger time in the port is 15s.
|
-
If the client does not support the multicast trigger function, the adapter display of the client may be abnormal. Meanwhile, it may cause the re-authentication failure.
Configure Re-authentication Function
To check whether the client is online, avoid the abnormal crashing of the client affecting the correctness of the user accounting, and prevent the client from being used by others, the authentication device periodically initiates the re-authentication request to the client. During the process, the user does not need to input the user name or password again.
Table 12-9 Configure the re-authentication function
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the re-authentication
|
dot1x reauthentication
|
Mandatory
By default, the re-authentication function is enabled in the port.
|
Configure Maximum Authentication Failure Times
After the client authentication failure times reach the threshold, the client enters the dead state. During the dead time, the authentication device does not answer the authentication request initiated by the client any more.
Table 12–10 Configure the maximum authentication failure times
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the maximum port authentication failure times
|
dot1x max-authfail max-authfail-value
|
Mandatory
By default, the maximum authentication failure time of the port is 1.
|
Configure Packet Transparent Transmission Function
In the actual application environment, the authentication terminal and authentication device may cross the intermediate device. If the intermediate device cannot transmit the EAPOL packet transparently, the authentication cannot be performed normally. To make the authentication be done normally, we need to enable the function of transmitting the EAPOL packet transparently on the port of the intermediate device receiving the EAPOL packet and configure one uplink port for the port. If the port enabled with the function of transmitting the EAPOL packet transparently receives the EAPOL packet, send the packet from the configured uplink port. If the device directly connected to the uplink port is authentication device, the authentication device processes after receiving the EAPOL packet.
Table 12–11 Configure the packet transparent transmission function
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the packet transparent transmission function
|
dot1x eapol-relay { enable | disble }
|
Mandatory
By default, the function of transmitting the packet transparently in the port is disabled.
|
|
Configure the uplink port
|
dot1x eapol-relay uplink { interface interface-name | link-aggregation link-aggregation-id }
|
Mandatory
By default, the port is not configured with the uplink port.
|
Configure Keepalive Function
To detect whether the client is online, the authentication device periodically sends the EAP-Request/Identity packet to the client. If receiving the EAP-Response/Identity packet from the client, send the EAP-Request/MD5 Challenge packet to the client. If authentication system receives the EAP-Response/MD5 Challenge packet, confirm that the client is online normally and send the EAP-Success packet to inform the client of keepalive success.
Table 12–12 Configure the keepalive function
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the keepalive function
|
dot1x keepalive { enable | disable }
|
Mandatory
By default, the keepalive function in the port is disabled.
|
|
Configure the keepalive time
|
dot1x keepalive period period-value
|
Optional
By default, the keepalive period in the port is 60s.
|
|
Configure the times of re-transmitting the keepalive packet
|
dot1x keepalive retries
retries-value
|
Optional
By default, the maximum keepalive time in the port is 3.
|
|
Configure the keepliave type
|
dot1x keepalive type { request-identity | request-md5}
|
Optional
By default, the keepalive type in the port is the standard keeplive.
|
-
The keepalive function needs to be supported by the 802.1X authentication client software (such as Maipu TC client). If the client does not support, it may result in the keepalive failure and the user gets offline.
Configure Not Waiting for Server Response
In the relay authentication mode, the client may send some packets that the server does not answer. The packets make the session channel between the authentication device and the authentication server be occupied and as a result, the subsequent client authentication fails. We can enable the function of not waiting for the server response in the port to avoid the problem.
Table 12-13 Configure the function of not waiting for the server response
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the function of not waiting for the server response
|
dot1x nowait-result
|
Mandatory
By default, the function of not waiting for the server response is disabled.
|
Switch
.png){kind=icon}
.png){kind=logo}
