Enabling 802.1X Guest Vlan Assignment Delay; Configuring The Ead Assistant Feature - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
NOTE:
If you configure the access device to send usernames with domain names to the RADIUS server,
make sure the domain delimiter can be recognized by the RADIUS server. For username format
configuration, see the user-name-format command in Security Command Reference.
Enabling 802.1X guest VLAN assignment delay
This feature delays assigning an 802.1X-enabled port to the 802.1X guest VLAN when 802.1X
authentication is triggered on the port.
This feature applies only to situations where 802.1X authentication is triggered by EAPOL-Start
packets from 802.1X clients or packets from unknown MAC addresses.
To use this feature, the 802.1X-enabled port must perform MAC-based access control.
When 802.1X authentication is triggered on a port, the device performs the following operations:
1.
Sends a unicast EAP-Request/Identity packet to the MAC address that triggers the
authentication.
2.
Retransmits the packet if no response is received within the username request timeout interval
set by using the dot1x timer tx-period command.
3.
Assigns the port the 802.1X guest VLAN after the maximum number of request attempts set by
using the dot1x retry command is reached.
To enable 802.1X guest VLAN assignment delay on a port:
Step
1.
Enter system view.
2.
Enter Layer 2 Ethernet
interface view.
3.
Enable
VLAN assignment delay
on the port.
Configuring the EAD assistant feature
When you configure the EAD assistant feature, follow these restrictions and guidelines:
•
You must disable MAC authentication and port security globally before you enable the EAD
assistant feature.
•
To make the EAD assistant feature take effect on an 802.1X-enabled port, you must set the port
authorization mode to auto.
•
When global MAC authentication or port security is enabled, the free IP does not take effect.
•
If you use free IP, guest VLAN, and Auth-Fail VLAN features together, make sure the free IP
segments are in both guest VLAN and Auth-Fail VLAN.
•
To allow a user to obtain a dynamic IP address before it passes 802.1X authentication, make
sure the DHCP server is on the free IP segment.
•
The server that provides the redirect URL must be on the free IP accessible to unauthenticated
users.
•
To avoid using up ACL resources when a large number of EAD users exist, you can shorten the
EAD rule timer.
To configure the EAD assistant feature:
Command
system-view
interface interface-type
interface-number
802.1X
guest
dot1x guest-vlan-delay
[ eapol | new-mac ]
Remarks
N/A
N/A
By default, 802.1X guest VLAN
assignment delay is disabled on a port.
98
Advertisement
Table of Contents
Troubleshooting
