Configuring 802.1X Authentication Functions on an Interface

After 802.1X authentication is enabled on an interface, a user device connected to the interface can access the network only after being authenticated. If authentication fails, the user device cannot access the network.

Context

802.1X authentication supports two access control types:

  • Interface-based access control: After the first user is authenticated, subsequent users can use network resources without being authenticated. If the first user goes offline, the other users can no longer access the network.

  • MAC-based access control: Every user accessing an interface is authenticated. If a user goes offline, other authenticated users can still access the network. If the client does not support 802.1x port authentication, MAC address bypass authentication can be used.

An 802.1X authentication-enabled interface supports the following authorization modes:

  • Authorized: authorized-force is configured to allow users to access the network without being authenticated.

  • Auto: auto is configured to allow only EAPOL packets to pass through and prohibit users from accessing network resources. If authentication succeeds, the interface enters the authorized state and allows users to access the network.

  • Unauthorized: unauthorized-force is configured to prohibit user authentication. The authenticator does not provide authentication services for access users on this interface.

If the access control type or authorization state of an interface is changed when users are accessing the network through this interface, the users may be logged off unexpectedly.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run dot1x enable

    802.1X authentication is enabled on the interface.

  4. Run dot1x force-domain domain-name

    A forcible authentication domain is configured for 802.1X authentication on the interface.

    The domain bound to the 802.1X authentication-enabled interface is the forcible authentication domain configured for 802.1X authentication on the interface using the dot1x force-domain command.

  5. (Optional) Run dot1x port-method { port | mac }

    An access control type is configured on the interface.

    • If a supplicant does not support 802.1X port-based authentication after the dot1x port-method mac command is run, run the dot1x mac-bypass command to enable MAC bypass authentication.
    • To separately manage the traffic of users who pass the authentication and who fail the authentication, run the dot1x vlan-tagged command to enable the device to replace VLAN IDs carried in user packets with a specified VLAN ID.

  6. (Optional) Run dot1x port-control { authorized-force | auto | unauthorized-force }

    An authorization mode is configured for 802.1X authentication on the interface.

  7. (Optional) Run dot1x max-user number

    The maximum number of access users allowed to access the 802.1X authentication-enabled interface is configured.

    When the number of access users on an interface reaches the configured upper limit, no more users can access the network through this interface.

Parent Topic: Configuring 802.1X Port-based Authentication on the NetEngine 8000 F Functioning as an Authenticator
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >