Configure 802.1X Authentication Function
The 802.1X authentication and the MAC address authentication are allowed to be configured simultaneously on the same interface.
- If the authentication is successful when the end user first performs the MAC address authentication, the 802.1X authentication initiated by the end user will not be processed. Otherwise, the 802.1X authentication initiated by the end user will be processed normally.
- When the end user first initiates the 802.1X authentication, then do not perform the MAC address authentication.
Configuration Condition
None
Enable 802.1X Authentication
To enable the 802.1X authentication function, the end user needs to install the client software with the 802.1X authentication function.
Table 12–2 Enable 802.1X
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Enable global 802.1X authentication
|
dot1x { enable | disable }
|
Optional
By default, the global 802.1X authentication function is enabled.
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on theaggregation group.
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
Enable the 802.1X authentication
|
dot1x port-control { enable | disable }
|
Mandatory
By default, the 802.1X authentication function in the port is disabled.
|
- Do not enable the 802.1X authentication function and secure channel authentication function simultaneously on one port.
- Support enabling the 802.1X authentication function and port security function on one port at the same time, but there is the following limitation: Do not permit configuring the port security IP rule or MAX rule.
- If the port security is configured with the related MAC rule when 802.1X authentication function is used with the port security function, 802.1X does not process the sent packets and authentication requests of the terminal, which are processed by the port security.
Configure the ARP/IP Packet to Trigger Generating the 802.1X User
After enabling 802.1X authentication function on the port, if the terminal user wants to view the information of the terminal user on the authentication device without initiating authentication, it needs to configure the ARP/IP packet to trigger generating 802.1X user.
Enable the 802.1X authentication function, and the function of the ARP/IP packet triggering generating the 802.1X user on one port. When the authentication device receives the ARP or IP packet of the terminal user in the port, it can generate the 802.1X user.
Table 12-3 Enable the function of the ARP/IP packet triggering generating the 802.1X user
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
Configure the function of the ARP/IP packet triggering generating the 802.1X user
|
dot1x arp-ip-auth { enable | disable }
|
Mandatory
By default, the function of the ARP/IP packet triggering generating the 802.1X user is disabled on the port.
|
Configure the timeout of the ARP/IP packet triggering generating the 802.1X user
|
dot1x arp-ip-auth timeout timeout-value
|
Optional
By default, the timeout of the ARP/IP packet triggering generating the 802.1X user is 5 minutes.
|