H3C S3100-52P Operation Manual page 391

Operation Manual – 802.1x and System Guard
H3C S3100-52P Ethernet switch
Caution:
You must configure the URL for HTTP redirection before configuring a free IP range.
A URL must start with http:// and the segment where the URL resides must be in the
free IP range. Otherwise, the redirection function cannot take effect.
You must disable the DHCP-triggered authentication function of 802.1x before
configuring a free IP range.
With dot1x enabled but quick EAD deployment disabled, users cannot access the
DHCP server if they fail 802.1x authentication. With quick EAD deployment enabled,
users can obtain IP addresses dynamically before passing authentication if the IP
address of the DHCP server is in the free IP range.
The quick EAD deployment function applies to only ports with the access control
mode set to auto through the dot1x port-control command.
At present, 802.1x is the only access approach that supports quick EAD
deployment.
Currently, the quick EAD deployment function does not support port security. The
configured free IP range cannot take effect if you enable port security.
II. Setting the ACL timeout period
The quick EAD deployment function depends on ACLs in restricting access of users
failing authentication. Each online user that has not passed authentication occupies a
certain amount of ACL resources. After a user passes authentication, the occupied ACL
resources will be released. When a large number of users log in but cannot pass
authentication, the switch may run out of ACL resources, preventing other users from
logging in. A timer called ACL timer is designed to solve this problem.
You can control the usage of ACL resources by setting the ACL timer. The ACL timer
starts once a user gets online. If the user has not passed authentication when the ACL
timer expires, the occupied ACL resources are released for other users to use. When a
tremendous of access requests are present, you can decrease the timeout period of the
ACL timer appropriately for higher utilization of ACL resources.
Follow these steps to configure the ACL timer:
To do...
Enter system view
Set the ACL timer
Chapter 2 Quick EAD Deployment Configuration
Use the command...
system-view
dot1x timer acl-timeout
acl-timeout-value
2-3
Remarks
—
Required
By default, the ACL
timeout period is 30
minutes.