< Home

(Optional) Configuring 802.1X-based Fast Deployment

Context

On an 802.1X network, the administrator has a large amount of workload in downloading and upgrading 802.1X client software for each client. The authentication-free network access and URL redirection functions can be configured to implement fast deployment of 802.1X clients.

Before a client passes 802.1X authentication, the client can access the network resources in an authentication-free subnet if the subnet is configured. If a redirect URL is configured for the 802.1X authentication user and the user accesses a network with a browser, the device redirects the URL that the user attempts to access to the configured URL (for example, to the 802.1X client download web page). In this way, the web page preset by the administrator is displayed when the user starts the browser. The server that provides the redirect URL must be in the authentication-free IP subnet of the user.

  • The 802.1X-based fast deployment function needs to be configured only when the third-party 802.1X client software is used.

  • 802.1X authentication has been enabled globally and on an interface using the dot1x enable command.

  • To ensure that pre-connection users can be aged out normally, you need to run the dot1x timer free-ip-timeout command to set the aging time of authentication-free user entries.

  • After the free-ip function is configured, the guest VLAN, critical VLAN, and restrict VLAN are no longer effective.

  • The free IP subnet takes effect only when the interface authorization state is auto.

  • If a user who does not pass 802.1X authentication wants to obtain an IP address dynamically through the DHCP server, the network segment of the DHCP server needs to be configured to a free IP subnet so that the user can access the DHCP server.

  • After 802.1X users go offline, they are not allowed to access network resources on free IP subnets within a specified period to prevent malicious attacks.

  • After users succeed in 802.1X-based fast deployment, they can only access resources in the IP free subnets and some resources on the device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x free-ip ip-address { mask-length | mask-address }

    An authentication-free IP subnet is configured.

    By default, no authentication-free IP subnet is configured.

  3. Run dot1x timer free-ip-timeout free-ip-time-value

    The aging time of authentication-free user entries is configured.

    By default, the value of the aging time for authentication-free user entries is 1380 minutes.

  4. Run dot1x url url-string

    The redirect URL in 802.1X authentication is configured.

    By default, no redirect URL is configured in 802.1X authentication.

Parent Topic: Configuring 802.1X Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >