authentication handshake

Usage Scenario

The device creates entries for pre-connection users, users who fail to be authenticated and are assigned network access rights, and users who are authenticated. After users go offline in normal situations, the system immediately deletes the corresponding user entries. However, if some users go offline due to exceptions such as network disconnections, the system cannot immediately delete the corresponding user entries. If there are too many such user entries, other users may fail to access the network.

To solve this problem, run the authentication handshake command to enable the handshake with pre-connection users and authorized users. If a user does not respond to the handshake request from the device within the handshake interval, the device deletes the user entry.

Precautions

• The handshake interval for MAC address authentication users, Layer 3 Portal authentication users, and 802.1X authentication users is configured using the authentication timer handshake-period command. The handshake interval for Layer 2 Portal authentication users is configured using the portal timer offline-detect command.

• For Layer 3 Portal authentication users, only those who go online through S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI support this function.

• This function takes effect only for the wired users who obtain IP addresses.

• When the configuration changes, the configuration takes effect only for new online wired users.

• The handshake function is implemented using ARP probe packets or neighbor discovery (ND) probe packets.

• The handshake function can also be implemented by detecting whether there is user traffic on the access device. Assuming that the handshake interval is 3n, the device will detect user traffic at n and 2n. The following uses the 0-n period as an example. The process during the n-2n period is similar to that during 0-n. (This process applies only to authentication users who go online from the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI. Other switch models do not detect user traffic and send probe packets at n and 2n.)

  • If user traffic passes the device during the 0-n period, the device considers that the user is online at n, so it will not send a probe packet to the user, but resets the handshake interval.
  • If no user traffic passes the device during the 0-n period, the device cannot determine whether the user is online at n, so it sends a probe packet to the user. If the device receives the reply packet from the user, it considers the user online and resets the handshake interval. If no reply packet is received, it considers the user offline.

  • If user traffic passes the device during the 2n-3n period, the device considers that the user is online at 3n and resets the handshake interval.
  • If no user traffic passes the device during the 2n-3n period, the device cannot determine whether the user is online at 3n and considers that the user is offline.

  If the device considers that the user is offline at n, 2n, and 3n, the device deletes all entries related to the user. To prevent the user from going offline unexpectedly when no operation is performed on the PC, do not set a short handshake period.