(Optional) Configuring Network Access Rights for Users in Different Authentication Stages

Context

To grant users rights to access certain network resources during access authentication, you can configure network access rights for users.

pre-authen: specifies the network access rights granted to users before authentication starts.
authen-fail: specifies the network access rights granted to users when authentication fails.
authen-server-down: specifies the network access rights granted to users when the authentication server does not respond.
client-no-response: specifies the network access rights granted to users when the 802.1X client does not respond.

The priority of authentication event on the interface is higher than the priority of authentication event in the system view, and higher than the priority of guest VLAN, restrict VLAN, or critical VLAN.

Procedure

Run system-view
The system view is displayed.

Configure network access rights for users in the system view or interface view.

View	Step
System view	Run the authentication event { pre-authen \| authen-fail \| authen-server-down \| client-no-response } { vlan vlan-id \| user-group group-name } command to configure the network access rights in different authentication stages. By default, no network access right is granted to users in different authentication stages.
Interface view	Run the interface interface-type interface-number command to enter the interface view. Run the authentication event { pre-authen \| authen-fail \| authen-server-down \| client-no-response } { vlan vlan-id \| user-group group-name } command to configure the network access rights in different authentication stages. Run the quit command to return to the system view. By default, no network access right is granted to users in different authentication stages.

View

Step

System view

Run the authentication event { pre-authen | authen-fail | authen-server-down | client-no-response } { vlan vlan-id | user-group group-name } command to configure the network access rights in different authentication stages.

By default, no network access right is granted to users in different authentication stages.

Interface view

Run the interface interface-type interface-number command to enter the interface view.
Run the authentication event { pre-authen | authen-fail | authen-server-down | client-no-response } { vlan vlan-id | user-group group-name } command to configure the network access rights in different authentication stages.
Run the quit command to return to the system view.

By default, no network access right is granted to users in different authentication stages.

(Optional) Set the timeout period of the network access rights granted to users in different authentication stages. The configuration can be performed in the system view or interface view.

View	Step
System view	Run the authentication event { pre-authen \| authen-fail \| authen-server-down \| client-no-response } session-timeout session-time command to set the timeout period of the network access rights granted to users in different authentication stages. By default, the timeout period of the network access rights granted to users is 15 minutes.
Interface view	Run the interface interface-type interface-number command to enter the Layer 2 physical interface view. Run the authentication event { pre-authen \| authen-fail \| authen-server-down \| client-no-response } session-timeout session-time command to set the timeout period of the network access rights granted to users in different authentication stages. By default, the timeout period of the network access rights granted to users is 15 minutes. Run the quit command to return to the system view.

View

Step

System view

Run the authentication event { pre-authen | authen-fail | authen-server-down | client-no-response } session-timeout session-time command to set the timeout period of the network access rights granted to users in different authentication stages.

By default, the timeout period of the network access rights granted to users is 15 minutes.

Interface view

Run the interface interface-type interface-number command to enter the Layer 2 physical interface view.
Run the authentication event { pre-authen | authen-fail | authen-server-down | client-no-response } session-timeout session-time command to set the timeout period of the network access rights granted to users in different authentication stages.
By default, the timeout period of the network access rights granted to users is 15 minutes.
Run the quit command to return to the system view.

(Optional) Configure the device to return an authentication failure packet when a user fails in authentication or the authentication server does not respond. The configuration can be performed in the system view or interface view.

View	Step
System view	Run the authentication event { authen-fail \| authen-server-down } response-fail command to configure the device to return an authentication failure packet when a user fails in authentication or the authentication server does not respond. By default, the device returns an authentication success packet when a user fails in authentication or the authentication server does not respond.
Interface view	Run the interface interface-type interface-number command to enter the Layer 2 physical interface view. Run the authentication event { authen-fail \| authen-server-down } response-fail command to configure the device to return an authentication failure packet when a user fails in authentication or the authentication server does not respond. By default, the device returns an authentication success packet when a user fails in authentication or the authentication server does not respond.

View

Step

System view

Run the authentication event { authen-fail | authen-server-down } response-fail command to configure the device to return an authentication failure packet when a user fails in authentication or the authentication server does not respond.

By default, the device returns an authentication success packet when a user fails in authentication or the authentication server does not respond.

Interface view

Run the interface interface-type interface-number command to enter the Layer 2 physical interface view.
Run the authentication event { authen-fail | authen-server-down } response-fail command to configure the device to return an authentication failure packet when a user fails in authentication or the authentication server does not respond.

By default, the device returns an authentication success packet when a user fails in authentication or the authentication server does not respond.

(Optional) Configure the interval for re-authenticating users before the authentication succeeds.

The device periodically re-authenticates the pre-connection users and the users who fail to be authenticated so that the users can be authenticated in a timely manner. You can configure the re-authentication interval according to the actual networking.

User Type	Procedure
Pre-connection user	Run the authentication timer re-authen pre-authen reauth-time command to configure the interval for re-authenticating pre-connection users. By default, pre-connection users are re-authenticated at an interval of 60 seconds.
Users who fail authentication	Run the authentication timer re-authen authen-fail reauth-time command to configure the interval for re-authenticating users who fail to be authenticated. By default, users who fail to be authenticated are re-authenticated at an interval of 60 seconds.