Extended Functions - H3C S3100 Series Operation Manual
H3c s3100 series ethernet switches operation manual
Hide thumbs
Also See for S3100 Series:
- Command manual (1244 pages) ,
- Installation manual (94 pages) ,
- Operation manual (32 pages)
Table of Contents
Advertisement
Upon startup, a terminal triggers MAC authentication first on the access device. If it passes MAC
authentication, no other types of authentication will be performed. If it fails, 802.1X or Web
authentication can be triggered.
If a terminal sends an EAP packet using the 802.1X client or a thirty-party client, only 802.1X
authentication is triggered for the terminal on the access device.
If a terminal sends an HTTP packet, Web authentication is triggered for the terminal on the access
device.
For terminals passing a type of authentication, the following principles are followed:
After a terminal passes 802.1X authentication or Web authentication, no other types of
authentication will be triggered for the terminal.
After a terminal passes MAC authentication, no Web authentication will be triggered for the
terminal but 802.1X authentication can be triggered for it, and the 802.1X authentication
information will overwrite the MAC authentication information for the terminal.
If both MAC authentication and Web authentication are enabled on an interface that is configured with a
static MAC address binding for a connected client, the client still needs to pass authentication before
going online. To make the client free from authentication, you can execute the web-authentication
free-user command or configure an ACL rule to permit packets sourced from the client to pass.
Extended Functions
A port enabled with the three types of authentication also supports the following extended functions.
Authorized VLAN assignment
After a terminal passes authentication, the server assigns an authorized VLAN to the access port
connected to that terminal and then the access port adds the terminal to the authorized VLAN.
For information about VLAN assignment, refer to AAA Operation.
VLAN assigned to terminals failing authentication
After a terminal fails authentication, the access port adds the terminal to a preconfigured VLAN.
For 802.1X and portal authentication terminals, the preconfigured VLAN refers to the Auth-Fail
VLAN configured on the access port.
For MAC authentication terminals, the preconfigured VLAN refers to the Guest VLAN or the
Auth-Fail VLAN configured on the access port.
Detection of online terminals
An idle user checking interval can be enabled to detect online Web authenticated terminals.
The online handshake function or re-authentication function can be enabled to detect online
802.1X authentication terminals at a configurable interval.
An offline detection timer can be enabled to detect online MAC authentication terminals at a
configurable interval.
1-2
Advertisement
Chapters
Table of Contents
Troubleshooting
