Configuring 802.1X; Configuring 802.1X Globally - 3Com 4500G Family Configuration Manual

The online user handshake security function helps prevent online users from using illegal client
software to exchange handshake messages with the device. Using illegal client software for handshake
message exchange may result in escape from some security inspection functions, such as proxy
detection and dual network interface card (NIC) detection. With the online handshake security function
enabled, the device checks the authentication information carried in the handshake messages of a
client. If the client fails the authentication, the device forces the user offline.
Mandatory authentication domain for a specified port
The mandatory authentication domain function provides a security control mechanism for 802.1X
access. With a mandatory authentication domain specified for a port, the system uses the mandatory
authentication domain for authentication, authorization, and accounting of all 802.1X users on the port.
In this way, users accessing the port cannot use any account in other domains.
Meanwhile, for EAP relay mode 802.1X authentication that uses certificates, the certificate of a user
determines the authentication domain of the user. However, you can specify different mandatory
authentication domains for different ports even if the user certificates are from the same certificate
authority (that is, the user domain names are the same). This allows you to deploy 802.1X access
policies flexibly.

Configuring 802.1X

Configuration Prerequisites
802.1X provides a user identity authentication scheme. However, 802.1X cannot implement the
authentication scheme solely by itself. RADIUS or local authentication must be configured to work with
802.1X.
Configure the ISP domain to which the 802.1X user belongs and the AAA scheme to be used (that
is, local authentication or RADIUS).
For remote RADIUS authentication, the username and password information must be configured
on the RADIUS server.
For local authentication, the username and password information must be configured on the device
and the service type must be set to lan-access.
For detailed configuration of the RADIUS client, refer to AAA Configuration in the Security Volume.

Configuring 802.1X Globally

Follow these steps to configure 802.1X globally:
To do...
Enter system view
Enable 802.1X globally
Set the authentication method
Set the port
access control
parameters
Use the command...
system-view
dot1x
dot1x authentication-method
{ chap | eap | pap }
Set the port
dot1x port-control
access control
{ authorized-force | auto |
mode for
unauthorized-force } [ interface
specified or all
interface-list ]
ports
1-11
Remarks
—
Required
Disabled by default
Optional
CHAP by default
Optional
auto by default