The authentication trigger-condition command configures the packet types that can trigger 802.1X authentication.
The undo authentication trigger-condition command restores the default configuration.
By default, DHCP/ARP/DHCPv6/ND packets can trigger 802.1X authentication.
authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-packet } *
undo authentication trigger-condition [ dhcp | arp | dhcpv6 | nd | any-l2-packet ] *
| Parameter | Description | Value |
|---|---|---|
dhcp |
Triggers 802.1X authentication through DHCP packets. |
- |
arp |
Triggers 802.1X authentication through ARP packets. |
- |
dhcpv6 |
Triggers 802.1X authentication through DHCPv6 packets. |
- |
nd |
Triggers 802.1X authentication through ND packets. |
- |
any-l2-packet |
Triggers 802.1X authentication through any packets. For multicast packets, the corresponding protocol needs to be enabled, otherwise 802.1X authentication cannot be triggered. |
- |
Usage Scenario
After 802.1X authentication is enabled, the device can trigger 802.1X authentication on users by default when receiving DHCP, DHCPv6, ND, or ARP packets. Based on user information on the actual network, the administrator can adjust the packet types that can trigger 802.1X authentication. For example, if all users on a network dynamically obtain IPv4 addresses, the device can be configured to trigger 802.1X authentication only through DHCP packets. This prevents the device from continuously sending ARP packets to trigger 802.1X authentication when static IPv4 addresses are configured for unauthorized users on the network, and reduces device CPU occupation.
If a static IPv4 address is configured for a client, 802.1X authentication cannot be triggered because they do not exchange DHCP, DHCPv6, ND, or ARP packets. You can run the authentication trigger-condition any-l2-packet command to trigger 802.1X authentication through any packets. To prevent unauthorized users from occupying user entries on the device maliciously, you are advised to configure the function of triggering 802.1X authentication through any packets on the access device, and run the authentication mode max-user max-user-number command in the authentication profile view to configure the maximum number of access users allowed on an interface. The recommended value is 10.
Precautions
This function takes effect only for users who go online after this function is successfully configured.
To allow BPDUs to trigger 802.1X authentication, you must enable the function corresponding to the BPDUs globally. For example, to allow LLDPDUs to trigger 802.1X authentication, run the lldp enable command to enable LLDP globally.
When any-l2-packet is configured and 802.1X authentication is enabled on an interface, EAP packets sent from a client trigger 802.1X authentication first.
In a policy association scenario, 802.1X authentication can only be triggered by EAP or DHCP or ARP or DHCPv6 or ND packets.
When MAC address authentication and 802.1X authentication are both enabled on an interface, packets that can trigger authentication include all the packet types that can trigger authentication in the MAC access profile and 802.1X access profile. For example, assume that ARP packets in the MAC access profile are unable to trigger authentication and ARP packets in the 802.1X access profile can trigger authentication. If MAC address authentication and 802.1X authentication are both enabled on an interface, ARP packets can trigger MAC address authentication.
For the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, when the ip-static-user enable and authentication trigger-condition any-l2-packet commands are both configured, user authentication cannot be triggered by any packets.