Sending Eap-Success Packets For 802.1X Users Assignment To The 802.1X Critical Vlan; Specifying Supported Domain Name Delimiters - HP FlexNetwork 10500 Series Security Configuration Manual

Sending EAP-Success packets for 802.1X users
assignment to the 802.1X critical VLAN
By default, the device sends an EAP-Failure packet to a client when the 802.1X client user is
assigned to the 802.1X critical VLAN on the port. After receiving the EAP-Failure packet, the client
does not respond to the EAP-Request/Identity packet from the device when reachable
authentication servers occur. This mechanism causes reauthentication failure for some 802.1X
clients, for example, 802.1X clients available with Windows operating system.
This feature solves the reauthentication problem. When a client receives the EAP-Success packet, it
determines that the 802.1X user comes online and it can respond to the EAP-Request/Identity
packet from the device for reauthentication.
To enable the device to send an EAP-Success packet to a client when the 802.1X client user is
assigned to the 802.1X critical VLAN on a port:
Step
1. Enter system view.
2. Enter Layer 2 Ethernet
interface view.
3. Send an EAP-Success
packet to a client when the
802.1X client user is
assigned to the 802.1X
critical VLAN on the port.

Specifying supported domain name delimiters

By default, the access device supports the at sign (@) as the delimiter. You can also configure the
access device to accommodate 802.1X users who use other domain name delimiters. The
configurable delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/).
Usernames that include domain names can use the format of username@domain-name,
domain-name\username, username.domain-name, or username/domain-name.
If an 802.1X username string contains multiple configured delimiters, the rightmost delimiter is the
domain name delimiter. For example, if you configure the backslash (\), dot (.), and forward slash (/)
as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash
(\). The username is @abc and the domain name is 121.123/22.
If a username string contains none of the delimiters, the access device authenticates the user in the
mandatory or default ISP domain.
To specify a set of domain name delimiters:
Step
1. Enter system view.
2. Specify a set of domain
name delimiters for 802.1X
users.
Command
system-view
interface interface-type
interface-number
dot1x critical eapol
Command
system-view
dot1x domain-delimiter string
97
Remarks
N/A
N/A
By default, the device sends an
EAP-Failure packet to a client
when the 802.1X client user is
assigned to the 802.1X critical
VLAN on the port.
Remarks
N/A
By default, only the at sign (@)
delimiter is supported.