The dot1x free-ip command configures a free IP subnet.
The undo dot1x free-ip command deletes the configured free IP subnet.
By default, no free IP subnet is configured.
dot1x free-ip ip-address { mask-length | mask-address }
undo dot1x free-ip { ip-address { mask-length | mask-address } | all }
| Parameter | Description | Value |
|---|---|---|
ip-address |
Specifies a free IP subnet. |
The value is in dotted decimal notation. |
mask-length |
Specifies the mask length of an IP address. |
The value is an integer that ranges from 1 to 32. |
mask-address |
Specifies the mask of the IP address. |
The value is in dotted decimal notation. |
all |
Deletes all free IP subnets. |
- |
Usage Scenario
802.1X users can access networks only after being authenticated. You can configure a free IP subnet, so that users can access network resources in the free IP subnet before being authenticated.
Precautions
802.1X authentication has been enabled globally and on an interface using the dot1x enable command.
After the free-ip function is configured, the guest VLAN, critical VLAN, and restrict VLAN are no longer effective.
The free IP subnet takes effect only when the interface authorization state is auto.
If a user who does not pass 802.1X authentication wants to obtain an IP address dynamically through the DHCP server, the network segment of the DHCP server needs to be configured to a free IP subnet so that the user can access the DHCP server.
After 802.1X users go offline, they are not allowed to access network resources on free IP subnets within a specified period to prevent malicious attacks.
After users succeed in 802.1X-based fast deployment, they can only access resources in the IP free subnets and some resources on the device.